The short answer is that while it is potentially legal to discuss a breach response, whether you can discuss it...
publicly and to what extent will depend heavily on the political climate at the company and whether the company is facing litigation as a result of the breach. Assuming that the company is in fact facing litigation, then you likely will not be permitted to air details until the case(s) are fully resolved. Even if the company isn't facing litigation, many companies are wary of publicly discussing breaches due to fear of negative publicity.
So, in order to get permission, you'll need to have a solid justification that overcomes this fear. I've found that two particular avenues are effective in this sort of situation. One is to spin the incident as a positive demonstration of the skill and care of the company, as well as a competitive advantage. At this point, everyone knows that companies have breaches, and you've shown that your company has the ability to handle incidents quickly and properly.
The other tact that I have found effective is to argue that by sharing this information, other security teams can learn from your experiences and improve their own incident response skills. The advantage of this method is that it's possible to sanitize out the name of the company and any identifying characteristics while still preserving the important lessons learned.
Generally speaking, eliminating the name of the company is sufficient unless it is the only company filling a particular niche. In publications, companies that have suffered breaches are often referred to as "a large financial institution" or "a mid-sized health care company," which gives readers an idea of how relevant the breach take-aways might be without overly exposing the actual company.
- Read these five quick steps to information security response success.
- In these worst practices, find out how to avoid bad security incidents in this expert tip.
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.