P6.4 SOC 2

SOC 2 P6.4: Privacy - Notification of Unauthorized Disclosures

What This Control Requires

The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity's objectives related to privacy. Notification is provided in accordance with applicable laws, regulations, and contractual commitments.

In Plain Language

A data breach is stressful enough without scrambling to figure out who you need to notify, how fast, and what to say. Almost every privacy jurisdiction now has mandatory breach notification rules, and getting it wrong - too slow, too vague, or missing someone - compounds the damage and invites regulatory action.

You need a notification process that answers all the critical questions up front: does this incident trigger a notification obligation? Who must be notified (individuals, regulators, business partners)? What do the notifications need to contain? What are the deadlines? And how do you document everything?

Auditors evaluate whether you have a defined breach notification process, whether it covers all applicable legal requirements, whether it has been tested (or actually used), and whether your timelines and notification content meet regulatory standards. Having a plan on paper that has never been exercised is a common weakness.

How to Implement

Develop a breach notification policy that maps requirements from every applicable regulation. Cover GDPR (72-hour regulator notification, individual notification for high-risk breaches), relevant state breach notification laws (they vary significantly), CCPA, HIPAA if applicable, and contractual obligations to customers and partners.

Build a breach assessment framework. Not every security incident triggers notification. Define clear criteria based on the type of data involved, the number of individuals affected, the likelihood of harm, whether the data was encrypted or otherwise protected, and the specific thresholds in each applicable regulation.

Prepare notification templates for different scenarios before you need them. Draft templates for individual notification letters and emails, regulatory notification forms, customer notifications, and public disclosures. Get legal counsel to pre-approve them. Each template should cover what happened, what data was affected, what you are doing about it, what individuals can do to protect themselves, and how to get in touch.

Map out the notification workflow with clear ownership. Define who handles each step from breach assessment through notification delivery. Spell out the approval chain - legal review, executive sign-off, communications review. Make sure the whole process can execute within your tightest regulatory deadline (72 hours for GDPR is not much time when you factor in assessment, drafting, and approvals).

Run tabletop exercises. Simulate a breach and walk through the entire process: assessment, notification decision, template preparation, approvals, and delivery. Find the bottlenecks before a real incident exposes them.

Document everything. Record all breach assessments (including those that did not trigger notification), all notifications sent, delivery confirmation, and follow-up communications. These records are what you show auditors and regulators to demonstrate compliance.

Evidence Your Auditor Will Request

Breach notification policy addressing all applicable regulatory requirements
Breach assessment framework with criteria for determining notification obligations
Pre-approved notification templates for individuals, regulators, and customers
Notification process documentation with timelines, responsibilities, and approval workflows
Breach notification exercise records or actual notification records with delivery confirmation

Common Mistakes

No breach notification policy exists, leading to ad hoc responses when breaches occur
Notification timelines are not defined or do not comply with applicable regulatory requirements
Notification templates are not prepared in advance, causing delays during actual incidents
Breach assessment criteria are unclear, resulting in inconsistent notification decisions
No records are maintained of breach assessments or notifications sent

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.24	Related
ISO 27001	A.5.34	Partial overlap
nist-csf	RS.CO-02	Related

Frequently Asked Questions

When does the notification clock start?

Under GDPR, the 72-hour clock starts when the controller becomes "aware" of the breach - meaning when there is a reasonable degree of certainty that a breach has occurred, not when you first suspect something. Under US state laws, the clock typically starts upon "discovery." Having a clear incident classification process helps you pinpoint that moment. Document exactly when you determined a notification-triggering breach occurred, because regulators will ask.

Do we need to notify if the breached data was encrypted?

It depends on the regulation. Many US state laws provide a safe harbour if the data was encrypted and the key was not compromised. Under GDPR, encryption is a factor in your risk assessment but does not automatically remove the notification obligation. You still need to evaluate each situation against the specific regulations that apply and the realistic likelihood of harm. When in doubt, lean towards notifying.

What if we are a processor and our controller's data is breached?

As a processor, your obligation is to notify the controller without undue delay once you become aware of the breach. The controller then handles notifying individuals and regulators. Your DPA should spell out the exact notification timeline and what information you need to provide. Focus on getting the controller the details they need to assess the breach and meet their own obligations. Do not wait until you have a full picture - notify early and update as you learn more.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment