Data Breach Notification Policy

Last Updated: November 17, 2025

Back to TownSquare
⚠️ LEGAL REVIEW REQUIRED: This document is a template and must be reviewed and approved by a licensed attorney before production use. Do not rely on this as legal advice.

1. Purpose and Scope

This Data Breach Notification Policy outlines TownSquare's procedures for identifying, responding to, and notifying affected parties of data security breaches in compliance with:

  • GDPR Article 33: Notification to supervisory authority within 72 hours
  • GDPR Article 34: Communication to affected data subjects
  • CCPA (California Civil Code § 1798.82): California breach notification requirements
  • State Breach Notification Laws: Compliance with all applicable U.S. state laws

2. Definition of a Data Breach

A data breach is defined as a confirmed incident that results in:

  • Unauthorized access to personal data
  • Unauthorized disclosure of personal data
  • Unauthorized alteration of personal data
  • Accidental or unlawful destruction of personal data
  • Loss of personal data in a manner that compromises confidentiality, integrity, or availability

Personal Data includes any information relating to an identified or identifiable person, such as names, email addresses, IP addresses, user content, and other identifiers.

3. Internal Notification and Assessment (Within 24 Hours)

Upon detection or notification of a potential data breach, the following immediate actions will be taken:

3.1 Detection and Logging

  • Incident is immediately logged in our security incident management system
  • Date, time, and method of discovery are documented
  • Preliminary assessment of scope and severity is conducted

3.2 Internal Notification Chain

  • Security Team: Immediately notified to begin investigation
  • Data Protection Officer (DPO): Notified at dpo@townsquare.com
  • Legal Team: Consulted for compliance and liability assessment
  • Executive Leadership: Briefed on incident severity and impact
  • Communications Team: Prepared for potential public disclosure

3.3 Containment Measures

  • Immediate steps to contain the breach and prevent further unauthorized access
  • Systems isolated or taken offline if necessary
  • Unauthorized access points identified and secured
  • Evidence preserved for forensic analysis

4. Breach Assessment and Documentation

Within 24-48 hours, a comprehensive assessment will determine:

  • Nature of the breach: How the breach occurred and what vulnerabilities were exploited
  • Categories of data affected: Types of personal data compromised (names, emails, passwords, etc.)
  • Approximate number of affected users: Estimated count of individuals impacted
  • Likely consequences: Potential harm to affected individuals (identity theft, privacy violation, etc.)
  • Risk level: Classification as low, medium, high, or critical risk

5. Notification to Supervisory Authorities (Within 72 Hours)

If the breach poses a risk to the rights and freedoms of individuals, we will notify the appropriate supervisory authorities within 72 hours of becoming aware of the breach.

5.1 Relevant Authorities

European Union:

Lead supervisory authority based on primary establishment or appointed representative

United Kingdom:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk

California (if 500+ residents affected):

California Attorney General
Website: https://oag.ca.gov/privacy/databreach/reporting

Other U.S. States:

State-specific notifications as required by applicable breach notification laws

5.2 Information Included in Authority Notification

  • Description of the nature of the breach, including categories and approximate number of affected data subjects
  • Name and contact details of the Data Protection Officer or other contact point
  • Description of the likely consequences of the breach
  • Description of measures taken or proposed to address the breach and mitigate its effects
  • If notification is delayed beyond 72 hours, reasons for the delay

6. Notification to Affected Users

If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected users without undue delay.

6.1 High Risk Criteria

A breach is considered high risk if it involves:

  • Exposure of passwords (even if hashed)
  • Financial information or payment card data
  • Government-issued identification numbers
  • Health or medical information
  • Data that could lead to identity theft or financial fraud
  • Sensitive personal information that could cause significant harm if misused

6.2 Notification Methods

Affected users will be notified through multiple channels:

  • Email notification: Sent to the email address associated with the account
  • In-app notification: Prominent alert displayed upon login
  • Website notice: Public notice posted on the TownSquare homepage
  • Account notification center: Detailed information in user's notification inbox

6.3 User Notification Content

User notifications will include:

  • Clear and plain language description of the breach
  • Categories of personal data that were compromised
  • Likely consequences and potential risks
  • Measures taken to address the breach
  • Recommended actions for users (e.g., change password, enable 2FA, monitor accounts)
  • Contact information for questions: security@townsquare.com
  • Resources for identity theft protection and credit monitoring (if applicable)

7. Documentation and Record-Keeping

All data breaches, whether or not they require notification, will be documented in our breach register. Documentation includes:

  • Facts of the breach: What happened, when, and how it was discovered
  • Effects and consequences: Impact on users and systems
  • Remedial action taken: Steps to contain, mitigate, and prevent recurrence
  • Notification timeline: When authorities and users were notified
  • Lessons learned: Analysis and recommendations for future prevention

Breach documentation is retained for a minimum of 5 years for audit and compliance purposes.

8. Post-Breach Actions

8.1 Immediate Remediation

  • Vulnerabilities identified and patched
  • Security controls strengthened
  • Affected accounts secured (password resets, session termination)
  • Enhanced monitoring implemented

8.2 Root Cause Analysis

  • Forensic investigation to determine breach origin
  • Identification of systemic weaknesses
  • Review of incident response procedures
  • Staff training and awareness updates

8.3 Long-Term Prevention

  • Security architecture review and enhancement
  • Implementation of additional safeguards
  • Regular security audits and penetration testing
  • Continuous monitoring and threat detection improvements

9. Exceptions to Notification

User notification may not be required if:

  • Strong encryption: Compromised data was protected by strong cryptographic encryption and encryption keys were not compromised
  • Subsequent measures: Measures were taken to ensure the high risk to users is no longer likely to materialize
  • Disproportionate effort: Notification would require disproportionate effort, in which case a public communication or similar measure will be used

However, supervisory authority notification is still required under GDPR regardless of these exceptions.

10. User Rights Following a Breach

Following a data breach, affected users have the right to:

  • Request detailed information about the breach and its impact on their data
  • Access a copy of their personal data
  • Request deletion of their account and associated data
  • Lodge a complaint with their local data protection authority
  • Seek compensation for damages resulting from the breach (where applicable)

11. Reporting a Suspected Breach

If you suspect a data breach or security vulnerability, please report it immediately to:

Security Team
Email: security@townsquare.com
Subject Line: "URGENT: Security Incident Report"

Data Protection Officer
Email: dpo@townsquare.com

Note: We take all security reports seriously and will respond promptly. If you are a security researcher, please see our Responsible Disclosure Policy.

12. Contact Information

For questions about this Data Breach Notification Policy, please contact:

Email: privacy@townsquare.com
Data Protection Officer: dpo@townsquare.com
Security Team: security@townsquare.com

This Data Breach Notification Policy may be updated from time to time. Last updated: November 17, 2025.