Q

After a data breach, are there legal implications of sharing details?

After a data breach, it may be helpful to share the highs and lows of the experience with other companies to help prevent similiar breaches, but what are the legal implications of this? Learn how to share details without breaking the law or your enterprise's information security policy.

Our company recently had a data breach that we were able to handle quickly and, I thought, very well. I'd like to share some of my strategies with other security managers so they can learn from our mistakes and our successes. Is this legally OK, and what corporate details should I necessarily leave out?

The short answer is that while it is potentially legal to discuss a breach response, whether you can discuss it publicly and to what extent will depend heavily on the political climate at the company and whether the company is facing litigation as a result of the breach. Assuming that the company is in fact facing litigation, then you likely will not be permitted to air details until the case(s) are fully resolved. Even if the company...

isn't facing litigation, many companies are wary of publicly discussing breaches due to fear of negative publicity.

So, in order to get permission, you'll need to have a solid justification that overcomes this fear. I've found that two particular avenues are effective in this sort of situation. One is to spin the incident as a positive demonstration of the skill and care of the company, as well as a competitive advantage. At this point, everyone knows that companies have breaches, and you've shown that your company has the ability to handle incidents quickly and properly.

The other tact that I have found effective is to argue that by sharing this information, other security teams can learn from your experiences and improve their own incident response skills. The advantage of this method is that it's possible to sanitize out the name of the company and any identifying characteristics while still preserving the important lessons learned.

Generally speaking, eliminating the name of the company is sufficient unless it is the only company filling a particular niche. In publications, companies that have suffered breaches are often referred to as "a large financial institution" or "a mid-sized health care company," which gives readers an idea of how relevant the breach take-aways might be without overly exposing the actual company.

More information:

This was first published in December 2008

Dig deeper on Information Security Incident Response-Detection and Analysis

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close