SOC 2 Vendor Notification for Unauthorized Disclosures (P6.5)

Overview:
The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy.

Action Items:
1) Create a vendor management policy and related procedures and publish to the company intranet for employee access and review.
2) Inspect the contracts for a sample of vendors during the review period to determine that nondisclosure agreements of confidentiality and protection are required before sharing information designated as confidential with third parties and such agreements contain provisions for reporting actual or suspected breaches to the entity.
3) Inspect the change control tickets for a sample of privacy incidents to determine that reported or detected privacy incidents and disclosures are tracked within a ticketing system until resolved.

Related Documents:
1) Vendor management policy
2) Vendor nondisclosure agreements
3) Change tickets for a sample of changes

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Remediates Misuse of Personal Information by a Third Party—The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.
2) Reports Actual or Suspected Unauthorized Disclosures—A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information.