The Payer Data Classification Gap That's Going to Show Up in Your NPRM Asset Inventory
Why the NPRM's classification mandate traces to OCR's enforcement pattern rather than any single named breach, and what payers should be inventorying now.
SEVERIAN
TECHNOLOGY GROUP
Current Engagement · Purview Data Risk Assessment · A Major U.S. Cultural Institution
Severian Technology Group is the data security practice of Matthew Silcox, a Microsoft Most Valuable Professional in Purview Data Security and a United States Marine Corps veteran.
The work is architecting and implementing Microsoft Purview programs for organizations that already own E5 licensing and need their Purview tenant to do what their auditors, compliance frameworks, and Copilot deployment plans already assume it is doing.
The clients are regulated enterprises (healthcare, financial services, government, defense, and nonprofit) operating under frameworks that assume data security controls already exist.
If this describes your situation: matt@severiansecurity.com · Book a 30-minute scoping call
The license was treated as the deliverable, but it was only ever the starting material. Copilot didn't create a new risk, it made the existing one observable.
Featured engagement
The Copilot Oversharing Report Card
Find out what Copilot can see, before your users do.
$2,500 flat. Founding rate for the first five organizations; $3,500 after. Five business days, start to readout.
You get- An evidence-based A–F exposure grade for your Microsoft 365 tenant — measured, not estimated.
- The top-10 overshared locations, each with an owner and a blast radius
- A sensitive-data heat list: the SITs that actually matter to you (SSNs, donor and student records, payroll, board materials)
- A 60-minute executive readout in plain language
- One fixed-fee next step. No hourly anything, ever.
Why us: Built and personally delivered by one of a small handful of U.S. Microsoft MVPs recognized for Purview and data security...the practitioner, not a bench of juniors. Recent client: a major U.S. art museum, 500 seats, pre-Copilot rollout.
Priced to be signable without procurement. One week from now, you’ll know your grade.
Free read
Free: Your Copilot Exposure Grade
An estimated A–F grade — outside-in, no tenant access. Based on two questions, your licensing, and how Microsoft 365 estates like yours typically drift. It answers one question: how worried should you be?
The Report Card is the diagnosis — your real grade, measured inside the tenant, with the receipts.
The work
Severian Technology Group architects and implements data security programs on Microsoft Purview. The platform already exists inside your E5 tenant. The work is configuring it with the specificity it demands.
Assessment
A comprehensive examination of sensitive data across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams + the oversharing exposure that M365 Copilot will amplify if left unaddressed. For mailbox scanning specifically, Severian deploys proprietary tooling that produces results Microsoft's native compliance capabilities do not: actionable, exportable, on-demand inventories of sensitive information types across the full breadth of an Exchange environment, including historical mail at rest that Purview auto-labeling policies cannot retroactively reach.
Content Search and eDiscovery were designed for legal holds and targeted investigation, not for the kind of systematic, organization-wide data mapping that a serious DLP and Copilot-readiness architecture requires. The tool was built because the gap in the platform existed and no one had closed it.
Architecture
Sensitivity labels designed not as a taxonomy exercise but as an operational framework. Each label maps directly to encryption behavior, access restrictions, and downstream DLP policy enforcement.
Information protection policies written to accommodate how people actually work, which is never quite how compliance frameworks imagine they do. DLP rules built with sufficient precision to avoid the characteristic failure modes of the discipline: policies so broadly scoped they produce debilitating alert volumes, and policies so narrowly defined they miss the regulated data they were designed to intercept.
Integration
Where Purview intersects with security infrastructure already deployed (Symantec DLP, Digital Guardian, Varonis, or other platforms), Severian builds integration through the Microsoft Information Protection SDK.
Classification decisions made within Purview propagate to third-party enforcement points. The sensitivity label follows the document across system boundaries. The security ecosystem becomes technically coherent rather than administratively stitched together.
Engagements
Every engagement is fixed-scope and fixed-fee. No hourly billing. No scope ambiguity. The deliverable is something you can hand to an auditor, a board, or a remediation team.
Fixed-fee engagement
Purview Data Risk Assessment
Where your attested compliance posture and your operational reality diverge.
$15,000 flat. Three weeks, start to readout.
You get- A scored examination of what your Purview tenant is actually classifying, what it is missing, and where the gap between your attested compliance posture and your operational reality is widest
- Proprietary Exchange Online at-rest mailbox scanning
- A sensitivity label taxonomy recommendation
- A prioritized remediation roadmap with 30/60/90-day milestones
Sometimes the assessment is the entire engagement. More often it becomes the basis for the architecture and implementation work that follows.
Fixed-fee engagement
Copilot Readiness & Oversharing Assessment
Copilot does not apply judgment to access — it operates within your users’ existing permissions.
$25,000 flat. Four weeks, start to readout.
For organizations deploying or planning M365 Copilot. This engagement quantifies the data exposure Copilot will amplify.
You get- SharePoint oversharing audit
- Persona-based risk modeling
- DLP-for-Copilot policy templates
- A go/no-go recommendation with a Copilot-safe deployment architecture
Fixed-fee engagement
Enterprise Purview Readiness
Full-stack Purview design for regulated enterprises with complex requirements.
$45,000–$75,000, fixed at scoping. Six to eight weeks. Scoped on seat count, workload count, and regulatory complexity.
You get- Information Protection, DLP, Insider Risk Management, Data Lifecycle Management, and Compliance Manager — designed as one program
- An implementation blueprint with configuration-level specifications
- A phased deployment plan
- A total cost of ownership model for your Purview investment
Monthly retainer
Managed Purview Operations
Ongoing Purview support after implementation.
Retainers start at $4,000/month.
You get- Monthly DLP and policy tuning
- Oversharing monitoring via proprietary scanning
- Quarterly executive review
- Ad-hoc advisory
Most Purview tenants are configured to catch what the documentation demonstrates. The regulated data that actually lives in your environment rarely looks like the examples.
Matthew Silcox
Severian is the practice of Matthew Silcox, a Microsoft Most Valuable Professional in Purview Data Security. One of three U.S.-based MVPs whose recognized contribution area is Microsoft Purview. Matt holds SC-100 (Cybersecurity Architect Expert), SC-200 (Security Operations Analyst Associate), and SC-401 (Information Security Administrator Associate) certifications. Prior to technology, Matt served four years in the United States Marine Corps.
MVPs gain access to pre-release capabilities, roadmap briefings, and the architectural context that determines how these platforms will evolve before that evolution reaches public documentation.
The technical depth (implementation specifics, undocumented platform behaviors, the problems that emerge only at the boundary between what the documentation promises and what the software actually does) is published at severian.ghost.io for practitioners who do the work, not the people who approve the budget.
Recent writing
The HIPAA Security Rule NPRM is a Forensic Document
Reading the proposed Security Rule as forensic reconstruction: how 2024's largest breaches dictated 2026's compliance map.
The Copilot Problem Is a Data Hygiene Problem
Copilot did not create a new security risk. The exposure was already there; the deployment just made it observable.
More at severian.ghost.io
Pick the engagement type that fits. The conversation takes 30 minutes.
Field Notes Blog
Purview, Copilot readiness, and data security — written for the people who do the work. No more than weekly.