Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
As a data processor, Office 365 ensures that our customers are able to meet the GDPR's breach notification requirements as data controllers. To that end, we're committed to the following actions:
- Provide customers with an ability to specify a dedicated privacy contact who is notified if a breach occurs. Customers can specify this contact using the Privacy reader role settings for Message Center.
- Notify customers of a personal data breach within 72 hours of a breach being declared. Notifications are published to the Message Center, which is accessible through the Microsoft 365 admin center. Secondarily, email notifications are sent to specified contacts indicating a new Message Center post.
- Include in the initial notification, a description of the nature of the breach, approximation of user impact, and any applicable mitigation steps. If our investigation isn't complete at the time of initial notification, we'll indicate next steps and timelines for subsequent communication in our initial notification
Microsoft recognizes that data controllers are responsible for conducting risk assessments and determining whether a breach requires notification of the customer's DPA. Our notification to customers provides the information needed to make that assessment. Microsoft therefore notifies customers of any personal data breach, except for those cases where personal data is confirmed to be unintelligible (for example, encrypted data where integrity of the keys is confirmed).
Office 365 investments in data security
In addition to our commitment to provide timely notification of breach, Office 365 strongly invests in systems, processes, and personnel to reduce the likelihood of personal data breach and to quickly detect and mitigate consequence of breach if it does occur.
Here's a description of some of our investments in this space:
Access Control Systems. Office 365 maintains a "zero-standing access" policy. This means that engineers don't have access to the service unless it's explicitly granted in response to a specific incident that requires elevation of access. Whenever access is granted it's done under the principle of least privilege: permission granted for a specific request only allows for a minimal set of actions required to service that request. To do this, Office 365 maintains strict separation between "elevation roles", with each role only allowing certain predefined actions to be taken. The "Access to Customer Data" role is distinct from other roles that are more commonly used to administer the service and is scrutinized most heavily before approval. Together, these investments in access control greatly reduce the likelihood that an engineer in Office 365 inappropriately accesses customer data.
Security Monitoring Systems and Automation: Office 365 maintains robust, real-time security monitoring systems. Among other issues, these systems raise alerts for attempts to illicitly access customer data, or for attempts to illicitly transfer data out of our service. Related to the points about access control mentioned previously, our security monitoring systems maintain detailed records of elevation requests that are made, and the actions taken for a given elevation request. Office 365 also maintains automatic resolution investments that automatically act to mitigate threats in response to issues we detect, and dedicated teams for responding to alerts that can't be resolved automatically. To validate our security monitoring systems, Office 365 regularly conducts red-team exercises in which an internal penetration testing team simulates attacker behavior against the live environment. These exercises lead to regular improvements to our security monitoring and response capabilities.
Personnel and Processes: In addition to the automation described previously, Office 365 maintains processes and teams responsible for both educating the broader organization about privacy and incident management processes, and for executing those processes during a breach. For example, a detailed privacy breach Standard Operating Procedure (SOP) is maintained and shared with teams throughout the organization. This SOP describes in detail the roles and responsibilities both of individual teams within Office 365 and centralized security incident response teams. These responsibilities span both what teams need to do to improve their own security posture (conduct security reviews, integrate with central security monitoring systems, and other best practices), and what teams would need to do if an actual breach (rapid escalation to incident response, maintain and provide specific data sources that will be used to expedite the response process). Teams are also regularly trained on data classification, and correct handling and storage procedures for personal data.
The major takeaway is that Office 365 strongly invests in reducing the likelihood and consequences of personal data breach impacting our customers. If personal data breach does occur, we're committed to rapidly notifying our customers once that breach is confirmed.
What to expect in the event of breach
The previous section describes the investments Office 365 takes to reduce the likelihood of data breach. In the unlikely event that breach does occur, customers should expect a predictable experience in terms of the following responses:
Consistent incident response lifecycle within Office 365. As described above, Office 365 maintains detailed incident response SOPs describing how teams should prepare for breach and how they should operate if a breach does occur. This ensures that our protections and processes apply throughout the service.
Consistent criteria for notifying customers. Our notification criteria focus on Confidentiality, Integrity, and Availability of customer data. Office 365 will directly notify customers if either the confidentiality or integrity of customer data is impacted. That is, we'll notify customers if their data is accessed without proper authorization, or if there's inappropriate destruction or loss of data. Office 365 will also report issues impacting data availability, although this action is usually done through the Service Health Dashboard (SHD).
Consistent notification details. When Office 365 does communicate regarding data breach, customers can expect specific details to be communicated: at minimum, we'll provide the following details:
- Timing of the breach and timing of breach awareness
- The approximate number of users impacted
- The type of user data that was breached
- Actions needed to mitigate the breach, either by the controller or by the processor
Customers should also note that Office 365, as a data processor, doesn't determine the risk of data breach. Whenever personal data breach is detected, we'll notify our customers and provide them with the details they need to accurately determine risk to impacted users and to decide whether further reporting to regulatory authorities is required. To that end, data controllers are expected to determine the following about the incident:
- Breach severity (that is, risk determination)
- Whether end users need to be notified
- Whether regulators (DPAs) need to be notified
- Specific steps to be taken by the controller to mitigate the consequences of breach
Contacting Microsoft
In some scenarios, a customer could become aware of a breach and might wish to notify Microsoft. The current protocol is for customers to notify Microsoft Support, which will then interface with engineering teams for more information. In this scenario, Microsoft engineering teams are similarly committed to providing the information customers need, through their support contact, in a timely fashion.
Call to action for customers
As noted previously, Microsoft 365 is committed to notifying customers within 72 hours of breach declaration. The customer's tenant administrator will be notified. Additionally, Microsoft 365 recommends that customers designate one or more individuals as Message Center Privacy readers, which can be done in the Microsoft 365 admin center. In the event of personal data breach, resources assigned the Message Center Privacy reader role are able to access the Message center to see relevant privacy notifications and, depending on their Message center preferences, might receive a related email.
For more information, see: