Understand customer notification process
The following diagram illustrates the customer notification process after a confirmed security incident occurs.
The incident response and customer notification process is as follows: Event Start, Event Detected, On-call engineer Engaged, Security Response Team Engaged, Security Incident Confirmed, Customer Impact Determined, Affected Customers Determined, and finally, Affected Customers Notified.
Microsoft responsibility
If at any point in the investigation of a security or privacy incident the security response team discovers that customer data has been the subject of accidental or unlawful destruction, loss, or alteration, unauthorized disclosure, or unauthorized access, then the event is declared a Customer Data Breach and the customer incident notification process is initiated. Microsoft identifies and notifies any affected tenants within 72 hours in accordance with the guidelines of many regulatory frameworks.
The notification timeline commitment begins when the official security incident declaration occurs. Upon declaring a security incident, the notification process occurs as expeditiously as possible, without undue delay.
Customer notification for security incidents occurs via appropriate channels based on the nature and scope of the incident. These channels may include one or more of the following notifications:
- Notification in the Message Center of the Microsoft 365 admin center
- Email to the customer's tenant administrator
- Email to the customer's designated Global Privacy Contact (if the tenant Admin has defined it in the Microsoft Entra Admin center)
- Direct outreach by phone call to the customer's tenant administrator by a specially trained Support team member
Microsoft's customer notification commitments are detailed in two sections of the Microsoft Products and Services Data Protection Addendum.
Security incident notification
Notification(s) of Security Incidents will be delivered to one or more of Customer's administrators by any means Microsoft selects, including via email. It's the Customer's sole responsibility to ensure Customer's administrators maintain accurate contact information on each applicable online services portal. Customer is solely responsible for complying with their obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.
Microsoft shall make reasonable efforts to assist Customer in fulfilling Customer's obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.
Microsoft's notification of or response to a Security Incident under this section is not an acknowledgment by Microsoft of any fault or liability with respect to the Security Incident.
Customers must notify Microsoft promptly about any possible misuse of its accounts or authentication credentials or any security incident related to an online service.
Appendix A – security measures
Incident response process
For each security incident that is a Customer Data Breach, notification by Microsoft (as described in the "Security Incident Notification" section) will be made without undue delay and, in any event, within 72 hours.
Customer responsibility
To ensure notifications are received promptly by the correct customer contacts, the customer must maintain accurate contact information in their tenant profiles.
Customers should ensure their contact information is up to date in the Microsoft 365 admin center.
Customer administrators should configure the options for how Data Privacy messages are displayed in the Message Center to ensure relevant customer administrators are made aware of incident notifications.
If necessary, Global Admins can configure more roles with access to Message Center content to avoid granting unnecessary administrative rights to non-administrators who require access to incident notifications.
Customers share responsibility with Microsoft for reporting security incidents. In the context of Microsoft Commercial services (as opposed to Consumer services), Microsoft is the Data Processor, while the customer is the Data Controller. If a security incident where Microsoft serves as the Data Processor, Microsoft will notify affected customers, who are then responsible for notifying their Data Protection Authorities, regulatory bodies, and affected users as required by any relevant regulations or laws. In addition, if a customer becomes aware of a security incident involving its own user accounts or any Microsoft online service, the customer must notify Microsoft promptly as described in the Microsoft Products and Services Data Protection Addendum.