Ask the Expert

After a data breach, are there legal implications of sharing details?

Our company recently had a data breach that we were able to handle quickly and, I thought, very well. I'd like to share some of my strategies with other security managers so they can learn from our mistakes and our successes. Is this legally OK, and what corporate details should I necessarily leave out?

    Requires Free Membership to View

The short answer is that while it is potentially legal to discuss a breach response, whether you can discuss it publicly and to what extent will depend heavily on the political climate at the company and whether the company is facing litigation as a result of the breach. Assuming that the company is in fact facing litigation, then you likely will not be permitted to air details until the case(s) are fully resolved. Even if the company isn't facing litigation, many companies are wary of publicly discussing breaches due to fear of negative publicity.

So, in order to get permission, you'll need to have a solid justification that overcomes this fear. I've found that two particular avenues are effective in this sort of situation. One is to spin the incident as a positive demonstration of the skill and care of the company, as well as a competitive advantage. At this point, everyone knows that companies have breaches, and you've shown that your company has the ability to handle incidents quickly and properly.

The other tact that I have found effective is to argue that by sharing this information, other security teams can learn from your experiences and improve their own incident response skills. The advantage of this method is that it's possible to sanitize out the name of the company and any identifying characteristics while still preserving the important lessons learned.

Generally speaking, eliminating the name of the company is sufficient unless it is the only company filling a particular niche. In publications, companies that have suffered breaches are often referred to as "a large financial institution" or "a mid-sized health care company," which gives readers an idea of how relevant the breach take-aways might be without overly exposing the actual company.

More information:

This was first published in December 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: