Restroom Alert notifies customers and authorities of data breaches. Microsoft relies on heavy internal compartmentalization in the operation of Azure. Data flow logs are also robust. As a benefit of this design, most incidents can be scoped to specific customers. The goal is to provide impacted customers with an accurate, actionable, and timely notice if their data has been breached.
After the declaration of a CRSI, the notification process takes place as expeditiously as possible while still considering the security risks of moving quickly. Generally, the process of drafting notifications occurs as the incident investigation is ongoing. Customer notices are delivered in no more than 72 hours from the time we declared a breach, except for the following circumstances:
• Microsoft or Restroom Alert believes the act of performing a notification will increase the risk to other customers. For example, the act of notifying may tip off an adversary causing an inability to remediate.
• Other unusual or extreme circumstances vetted by Microsoft’s legal department Corporate External and Legal Affairs (CELA) and the Executive Incident Manager.
Restroom Alert provides customers with detailed information enabling them to perform internal investigations and can provide assistance where possible while not unduly delaying the notification process.
Notification of a personal data breach will be delivered to the customer by any means Restroom Alert selects, including via email. Notification of a data breach will be delivered to the primary contact in the subscriber organization’s user list. If a primary contact is not provided during setup and onboarding, the notification will be sent to one or more administrators of the subscribed organization. To ensure that notification can be successfully delivered, it is the customer’s responsibility to ensure that the administrative contact information in the manager’s portal is correct.