INC-006 Customer Breach Notification
Description
Processes exist to notify affected customers of security incidents that impact the confidentiality, integrity, or availability of their data or service. Notification timelines, communication channels, and required content are defined. Notification decisions and the content of communications are documented.
Rationale
Customer notification is both a contractual and reputational obligation, distinct from regulatory notification. Many enterprise contracts specify notification timelines shorter than those required by regulation.
Framework Mappings (4)
| SEF-08 | Security Breach Notification | partial |
| GDPR-Art.34.1 | Breach Communication to Data Subjects | partial |
| P6.5 | Notification of Privacy Breaches | partial |
| P6.6 | Remediation of Privacy Breaches | informative |
Evidence (2)
Customer breach notification procedure defining notification timelines, communication channels, required content, and decision authority for customer-facing security incident communications.
Example: Customer Notification Procedure document or IRP section on customer communications (version-controlled, reviewed within last 12 months) with notification timeline commitments, approved communication templates, and escalation path to legal and PR
Test: Request the customer notification procedure. Verify: (1) notification timelines are defined for each severity level; (2) required communication content is specified; (3) the procedure references relevant contractual notification obligations; (4) a named role or function is responsible for approving customer notifications; (5) the procedure was reviewed within the last 12 months.
Customer notification records from incidents where customer notification was required, demonstrating notifications were sent within defined timelines with required content.
Example: Customer notification email archive or incident record showing notification date, recipient list (customers affected), notification content, and timeline comparison against the contractual obligation — or a documented record confirming no customer-impacting incidents occurred in the review period
Test: Request customer notification records for any incidents in the last 12 months that met notification criteria. Verify: (1) notification was sent within the timeline defined in the procedure and/or applicable contracts; (2) notification content addressed the nature of the incident, impact, and remedial actions; (3) notification decisions (including decisions not to notify) are documented with rationale and a named decision-maker.
Questions (2)
Does your organisation have a documented process for notifying affected customers of security incidents that impact the confidentiality, integrity, or availability of their data or service, with defined timelines and required notification content?
Customer notification timelines are often defined in enterprise contracts at shorter intervals than regulatory requirements. The procedure should reference contractual obligations and include approved communication templates.
What is the standard customer notification timeline for a confirmed high-severity security incident affecting customer data?
Many enterprise contracts specify 24–72 hour notification timelines. A defined standard timeline shorter than or equal to the contractual obligation is the expected answer.