Customers Must Be Vigilant for Security Incident Notices

• A security incident raises questions about Microsoft’s notification policies.
• Organizations should review both Microsoft’s and their own policies for monitoring for security incidents.

Under the Microsoft Products and Services Data Protection Addendum (DPA), customers must remain vigilant for security incident notifications. This is because Microsoft can notify customers of security incidents by any means it selects. For example, after an Oct. 2022 security incident involving Azure Blob Storage, Microsoft chose to notify customers via the Microsoft 365 Message Center. Therefore, someone who appreciates the risks and understands the organization’s duty to report security incidents to affected employees, regulatory agencies, and insurance companies must constantly monitor the Microsoft 365 Message Center for notifications.

Another question raised by the recent incident notification is whether this notification contains the necessary information for an impacted organization to take the appropriate actions to comply with its regulatory obligations. Again, using the Blob Storage incident as an example, the Message Center notice states, “Your organization was in scope of this incident,” but adds, “We are unable to provide the specific affected data from this issue.” This lack of specific data about the incident could be insufficient for an organization to fulfill its breach notification obligations.