The short answer is that while it is potentially legal to discuss a breach response, whether you can discuss it publicly and to what extent will depend heavily on the political climate at the company and whether the company is facing litigation as a result of the breach. Assuming that the company is in fact facing litigation, then you likely will not be permitted to air details until the case(s) are fully resolved. Even if the company isn't facing litigation, many companies are wary of publicly discussing breaches due to fear of negative publicity.
So, in order to get permission, you'll need to have a solid justification that overcomes this fear. I've found that two particular avenues are effective in this sort of situation. One is to spin the incident as a positive demonstration of the skill and care of the company, as well as a competitive advantage. At this point, everyone knows that companies have breaches, and you've shown that your company has the ability to handle incidents quickly and properly.
The other tact that I have found effective is to argue that by sharing this information, other security teams can learn from your experiences and improve their own incident response skills. The advantage of this method is that it's possible to sanitize out the name of the company and any identifying characteristics while still preserving the important lessons learned.
Generally speaking, eliminating the name of the company is sufficient unless it is the only company filling a particular niche. In publications, companies that have suffered breaches are often referred to as "a large financial institution" or "a mid-sized health care company," which gives readers an idea of how relevant the breach take-aways might be without overly exposing the actual company.
- Read these five quick steps to information security response success.
- In these worst practices, find out how to avoid bad security incidents in this expert tip.
This was first published in December 2008