GRCWatch
Sign inStart free trial

SOC 2 P6.6: Breach Notification Requirements

Breach notification is a critical control that protects your organization legally and maintains customer trust. P6.6 requires you to establish and maintain processes for timely, accurate notification of security incidents to affected parties—including data subjects, regulators, and other stakeholders—in compliance with applicable laws and your stated commitments.

What this means

P6.6 requires your organization to establish documented procedures for detecting, investigating, and notifying relevant parties when a breach or security incident occurs. This includes identifying who must be notified (affected individuals, regulators, business partners), determining notification timelines, defining notification content requirements, and maintaining records of all notifications. The control ensures compliance with privacy laws like GDPR, CCPA, and state breach notification laws while protecting the organization's reputation and customer relationships.

How to comply

  1. 1.Define breach notification triggers and establish a clear incident classification process to determine which incidents require notification
  2. 2.Document notification procedures specifying timeframes, recipients (individuals, regulators, partners), and required communication channels
  3. 3.Create notification templates that include incident details, impact assessment, and recommended protective actions for affected parties
  4. 4.Establish a breach investigation process to determine scope, affected data, and root cause before notification
  5. 5.Implement monitoring and logging to detect potential breaches and document discovery times
  6. 6.Assign clear responsibility for breach notification decision-making and authorization
  7. 7.Maintain a breach notification log recording all incidents, notification dates, recipients, and methods
  8. 8.Test notification procedures annually and after significant system changes
  9. 9.Coordinate with legal and communications teams to ensure regulatory compliance and messaging consistency

Evidence auditors look for

  • Documented breach notification policy and procedures
  • Breach incident response plan with notification workflows
  • Notification templates for individuals, regulators, and business partners
  • Breach investigation reports with root cause analysis and scope determination
  • Breach notification log with dates, recipients, methods, and outcomes
  • Evidence of regulatory notifications (GDPR, CCPA, state notifications)
  • Communication records and notification delivery confirmations
  • Training materials and records for incident response teams
  • Contracts with legal counsel and PR firms supporting notification
  • Audit trails showing incident detection and notification timelines

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates breach detection logging, generates compliant notification templates customized to your jurisdiction, tracks notification deadlines, and maintains an audit-ready notification ledger—so you can demonstrate P6.6 compliance without manual notification tracking.

See how GRCWatch handles this control automatically

Start free trial

Related controls

P5.1 — Incident Objectives & ResponsibilitiesP6.1 — Privacy NoticeC1.2 — Risk AssessmentA1.2 — Communication & Accountability