Kern County unifies its approach to secure and govern data with Microsoft Purview

As California’s third-largest county, Kern County is home to vital agricultural and energy regions. Known for its resilient citizens and communities, the county government is channeling that same drive into modernizing its security. Operating like 40 separate small businesses, each department had its own IT processes, making it difficult to establish the county’s approach to secure and govern data. The county looked to proactively mitigate oversharing and data loss risks associated with deploying Microsoft 365 Copilot. With fragmented IT environments, increased risk, and growing compliance demands, Kern County needed a unified approach to protect sensitive information.

Building a robust data security foundation with Microsoft Purview

To address its data protection needs, Kern County adopted Microsoft 365 Government G5, which includes Microsoft Purview. The county implemented Microsoft Purview Data Loss Prevention (DLP), Microsoft Purview Information Protection, and Microsoft Purview eDiscovery to mitigate against data oversharing and leakage. “Data is a shared responsibility, and we ensured this with communication alongside Purview’s rollout,” says Mark Buonauro, Chief Information Technology Officer at Kern County. “Government moves slower than the private sector, but Purview’s execution impressed us,” he adds, highlighting how the platform unified the county’s approach to data protection. Implementing major technology shifts in the public sector often requires more coordination, communication, and trust-building across departments than in private industry.

Aaron Nance, Deputy Chief Information Security Officer at Kern County, built a four-person security team to oversee execution across departments. In addition, Kern County’s Technical Advisory Committee of IT leaders is forming an AI governance subcommittee to guide responsible AI use. Nance’s team rolled out a data classification model using Purview’s auto-applied sensitivity labels and policies. The county’s federated approach—central oversight by Nance’s security operations team combined with decentralized IT teams—was a key consideration in deploying a unified solution like Purview. With regulatory obligations spanning HIPAA, CJIS, and more than 20 others, the county needed to ensure all data was accurately classified and secure. “Everything should have a label now,” Nance says. “We can track regulated information and monitor access across Microsoft 365. Purview gives us visibility.” To ensure successful adoption, his team created and distributed six weeks of targeted training materials to help users understand new policies and labeling practices.

The county uses Purview eDiscovery to streamline compliance processes by responding more effectively to legal requests, internal investigations, and retention policies. “Purview helped us go from reaction to readiness,” Nance says. “We’re catching issues proactively instead of retroactively scrambling to contain them.” To further strengthen security posture, Kern County adopted Microsoft Security Copilot, which accelerates alert triage and delivers automated insights directly within Purview.

Shaping a future of data security in the era of AI

The county is seeing results. Over 13 million files have been classified using Purview, DLP policies flagged 3,000+ incidents in one month, and more than 8,500 eDiscovery searches have been conducted since implementation. Nance notes, “The metrics validate that we’re doing the right work. Our access reviews are faster, we’ve reduced risk exposure, and we’re much better prepared for audits.” The project was completed in six months, with ongoing support driving continued success. A validation assessment showed Purview saved the county about $1 million in mitigating risk and potential non-compliance, scaling efforts countywide.

Looking ahead, Kern County plans to expand its ability to secure and govern data by investing in Purview’s data governance tools. “Purview was a necessary step to ensure we were preventing oversharing and protecting sensitive content before bringing in AI tools like Copilot,” says Nance. “We first needed to get data security right, and that urgency helped us align our IT teams and move forward quickly.” The county will deploy approximately 400 Copilot licenses in a controlled rollout, with strict access reviews and user training required.

Buonauro agrees that the work is far from over. "The improvements we've made in data loss prevention and classification checked off a ton of boxes, but they're just the start,” he says. “We will continue strengthening our security and compliance to deliver smarter, more secure services our citizens can rely on.”

Discover more about Kern County on Facebook, Instagram, LinkedIn, X/Twitter, and YouTube.