The issue is caused by incorrect database query.
Once there is a match for a DLP rule, in which the action is set to "Ask" or "Prevent", an incident is created.
Each incident is saved in a local database and includes the following information:
- Incident ID
- Sender e-mail address
- Creation date
- DLP action
On a daily basis, a database query is made searching for incidents, which are over 4 days old. The result, a number of incidents, will be sent to the "sender e-mail address" with a pre-defined text:
"You have X un-handled incidents awaiting for you in the Data Loss Prevention portal.
Click here in order to view and handle them."
Once the user logs in to the DLP portal, a different database query is made to present the pending incidents.
While the DLP portal query filters the incidents based on "DLP action" - "Ask", the daily query does not.
This causes the number of pending incidents written in the expiration notification e-mail to being larger than the actual number of pending incidents.