Translations:Tech:Compromised Handling/34/en

Notification of Users
Under EU law, we're required to notify all European users in the event of a breach of their personal data within 72 hours of discovery of the breach. Since we never bother to geolocate people, assume that all users are European and do the right thing. Notification steps should depend on the extent of the breach, and what we discover in our investigation.
 * If we determine that no PII has been compromised, writing up an incident report on Meta is enough.
 * If we determine that a decent section of users have had their information compromised, run a sitenotice. If it happened to be restricted to a few wikis, we can run it there, otherwise, do a global sitenotice.  Link to the incident report.
 * If we can identify individual users who have had their PII compromised, go ahead and send them an email if they ever gave us their address. If we have a lot of emails to write (hopefully not), prepare a mass email.  Use the bcc field as to not make things worse.
 * External notification methods should be considered too, like Twitter.