Appendix K: SDL Privacy Escalation Response Framework (Sample)

  • Article

This sample document provides basic criteria to consider when building a privacy breach response process.

On This Page

Purpose
Definition: Privacy Escalation
Privacy Escalation Team
Submitting Privacy Escalation Requests
Closing

Purpose

The purpose of the Privacy Escalation Response Framework (PERF) is to define a systematic process that you can use to resolve privacy escalations efficiently. The process must also manage the associated internal and external communications and identify the root cause or causes of each escalation so that policies or processes can be improved to help prevent recurrences.

Definition: Privacy Escalation

A privacy escalation is an internal process to communicate the details of a privacy-related incident. A privacy escalation is warranted for the following types of incidents:

  • Data breaches or theft

  • Failure to meet communicated privacy commitments

  • Privacy-related lawsuits

  • Privacy-related regulatory inquiries

  • Contact from media outlets or a privacy advocacy group regarding a privacy incident

Privacy Escalation Team

Your privacy escalation core team should include an escalation manager, a legal representative, and a public relations (PR) representative, at a minimum. The escalation manager should be responsible for including appropriate representation from across your organization (such as privacy and business experts) and for driving the process to completion. The legal and public relations representatives are responsible for helping resolve any legal or PR concerns consistently throughout the process.

Submitting Privacy Escalation Requests

The privacy core team should set up a distribution group or managed e-mail account that any employee can contact regarding a potential privacy escalation.

Privacy Escalation Response Process

Escalation should begin when the first e-mail notification of the issue is received. The escalation manager is responsible for evaluating the content of the escalation to determine whether more information is required. If so, the escalation manager is responsible for working with the reporting party and other contacts to determine:

  • The source of the escalation

  • The impact and breadth of the escalation

  • The validity of the incident or situation

  • A summary of the known facts

  • Timeline expectations

  • Employees who know about the situation, product, or service

The escalation manager should then disseminate this information to appropriate contacts and seek resolution. Although the escalation manager can assign portions of the workload to other people as needed, the escalation manager should ensure that all aspects of the escalation are resolved. Appropriate resolutions should be determined by a privacy escalation core team in cooperation with the reporting party and other applicable contacts. Appropriate resolutions might include some or all of the following:

  • Internal incident management

  • Communications and training

  • Human resources actions, in the case of a deliberate misuse of data

  • External communications, such as:

    • Online Help articles

    • Public relations outreach

    • Breach notification

    • Documentation updates

    • Short-term and/or long-term product or service changes

Closing

After all appropriate resolutions are in place, the privacy escalation team should evaluate the effectiveness of privacy escalation response actions. An effective remediation is one that resolves the concerns of the reporting party, resolves associated user concerns, and helps to ensure that similar events do not recur.

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.

This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.

This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2012 Microsoft Corporation. All rights reserved.

Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported