Customer Data Breach Notification Protocol
- Preparation of communication - Communication will be written in collaboration with Buffer's support team lead and technical lead with final sign off by the CEO if the CEO is available. If the CEO is not available, another officer of the company shall sign off.
- Details of the communication - The communication should contain the scope of the breach including the types of data that has been leaked or potentially leaked including any personally identifiable information or sensitive information.
- Methods of communication - We will inform our customers in multiple ways to increase the likelihood they will learn of the breach as soon as possible. This could include:
- FAQ or Customer knowledge base article w/ details - We will post the information from the breach communication on an FAQ or Customer knowledge base article. This will act as a live communication containing any subsequent updates to information concerning the breach.
- Company blog post - We will also copy the information from the FAQ article to our company blog. This will also be updated similarly to the FAQ article.
- Initial email notification to customers - We shall email affected customers as soon as possible and no later than 24 hours of learning of the breach. If the breach can be narrowed to a specific set of customers, we will only email that set of customers. If the breach cannot be narrowed down, we will email all customers. This email will contain links to the FAQ article or the company blog post so the customer can check for the latest updates.
- In-application notification banners - We will link to the FAQ article from one or multiple in-app banners
- Twitter - We will share the information with a link to our FAQ article or blog post via Twitter, which many of our customers use to stay up to date with product and company news.
- Continued updates and communication - Naturally, the information about the data breach will change as ongoing investigations continue.
- Update FAQ and company blog post - We will continually update these with the highest frequency.
- Email - When significant updates to the breach happen or if the breach has been resolved, we will email our customers again.
- Post-mortem - If the breach is significant and has caused issues for our customers, we shall perform an internal post-mortem meeting to determine what happened and what we are doing to prevent future breaches then share this transparently with our customers.
Any of the above may be subject to change if the situation requires more communication with customers. In special circumstances, we may have additional communication with customers via email, phone, etc. to share more information about how they were affected.