The issue is caused by incorrect database query.

Once there is a match for a DLP rule, in which the action is set to "Ask" or "Prevent", an incident is created.

Each incident is saved in a local database and includes the following information:

• Incident ID
• Sender e-mail address
• Creation date
• DLP action

On a daily basis, a database query is made searching for incidents, which are over 4 days old. The result, a number of incidents, will be sent to the "sender e-mail address" with a pre-defined text:

"You have X un-handled incidents awaiting for you in the Data Loss Prevention portal.
Click here in order to view and handle them."

Once the user logs in to the DLP portal, a different database query is made to present the pending incidents.

While the DLP portal query filters the incidents based on "DLP action" - "Ask", the daily query does not.

This causes the number of pending incidents written in the expiration notification e-mail to being larger than the actual number of pending incidents.