19.5% of the Team.
~$4.25M in
Extrapolated Risk.
A proof-of-concept assessment covering 39 of approximately 200 staff — just 19.5% of the organisation — uncovered $827,805 in direct privacy risk. Extrapolated to the full team, that represents an estimated $4.25M in exposure. Years of HR, recruiting, and community service workflows had quietly accumulated nearly 5,000 sensitive items in Microsoft 365.
This PoC covered 39 of approximately 200 staff (19.5% of the organisation). The findings extrapolate to an estimated $4.25M in risk across the full team. Data & More serves organisations of all sizes.
Normal workflows quietly accumulate sensitive community data.
For a municipality, routine operations — hiring staff, processing insurance, responding to community health inquiries, onboarding volunteers — all generate sensitive personal data. The challenge is that this data doesn’t disappear after the workflow ends. It accumulates in staff email inboxes, sometimes for years, long after any operational need has passed.
With 39 users, this can seem like a manageable problem. But each user acts as a custodian for community member records — residents, employees, contractors, and volunteers — making the exposure per breach event disproportionately high relative to the organization’s size.
Email holds 99.9% of the financial risk
Exchange Online accounts for $827,632 of the $827,805 in total assessed risk. Unlike most organizations where SharePoint is a significant factor, this environment’s risk is almost entirely concentrated in staff email inboxes — a pattern driven by community-facing workflows conducted by email.
HR workflows are the largest source of exposure
Recruiting, employment, and health information — including PHI (personal health information) — represent the dominant data categories. These arise from standard municipal HR processes: hiring, onboarding, benefits administration, and accommodation requests.
Community health data reached staff inboxes
Sensitive health information from community members — including cancer screening inquiries and summer camp medical disclosures — was found in staff email. This is a high-risk category because it involves residents’ personal medical details, not just employee data.
Plain-text credentials stored in Deleted Items
Administrative usernames and passwords for a third-party benefits platform (GreenShield) were found stored in plain text across multiple emails. In most cases the messages had been deleted but were retained in Deleted Items — a gap that a more granular retention policy would directly address.
What a PoC scan of 39 users revealed
A proof-of-concept scan covering 39 of approximately 200 staff in the town’s Microsoft 365 environment — all mailboxes, OneDrive locations, and SharePoint site collections — surfaced nearly 5,000 sensitive items and 642 security data items requiring review.
Recruitment and identity documents account for over 60% of privacy data
This distribution is characteristic of municipal operations: identity verification during hiring and onboarding, combined with community-facing services, generates a steady accumulation of government-issued ID data and HR records that tends to remain in email long after its immediate purpose is served.
Exchange Online dominates — SharePoint is clean
99.9% of financial risk resides in Exchange Online, while SharePoint Online (122 site collections) and OneDrive (38 locations) show near-zero exposure. This is a notably concentrated risk profile — and a strategic advantage, since remediation efforts can focus almost entirely on email.
Key insight: Because risk is so concentrated in email, even a targeted retention policy applied to two or three data categories could eliminate the majority of exposure — without touching SharePoint or OneDrive at all.
Three policies. $548K immediate.
~$3.74M extrapolated.
These quick wins were identified from the PoC scope. The extrapolated column projects the impact across the full ~200-user organisation at the same risk density.
Health information is the single largest quick win — 1,823 items across 36 of 39 users, carrying $315,379 in risk reduction from a single medium-complexity policy. Notably, this category includes personal health information (PHI) from community members, making it both a compliance and a community trust priority. The global retention policy already in place has successfully prevented any data older than five years from accumulating — a foundation to build on.
From unmanaged community records to a defensible, governed environment.
Municipalities hold a broad range of sensitive personal data on behalf of their communities. This assessment gives the organization a precise foundation to manage that responsibility — proactively rather than reactively.
A complete picture of where community data lives
For the first time, the organization has a precise inventory of where sensitive personal data resides — enabling targeted remediation rather than broad, disruptive data sweeps across all 39 users.
Municipal privacy obligation compliance
With documented discovery, review, and retention policies in place, the municipality can demonstrate active data stewardship — an increasingly scrutinized obligation for public sector organizations handling community member data.
AI readiness — SharePoint already there
SharePoint Online (122 site collections) is 100% AI-ready today. Exchange Online at 3% requires the most work. With 97% of users needing to participate in the privacy data review, the path is clear and scoped.
Credential security remediation
The plain-text GreenShield credentials found in Deleted Items across multiple mailboxes represent an immediate security priority. Addressing this closes a meaningful attack surface, regardless of whether passwords have since been rotated.
A small team. Thousands of community records. One assessment — and a clear, prioritized path to significantly lower risk.
Every organization’s data tells a story.
Find out what yours says.
A Data & More assessment takes weeks, not months — and gives your team the complete picture needed to act with confidence.