After a data breach, are there legal implications of sharing details?

Ask the Expert

After a data breach, are there legal implications of sharing details?

Our company recently had a data breach that we were able to handle quickly and, I thought, very well. I'd like to share some of my strategies with other security managers so they can learn from our mistakes and our successes. Is this legally OK, and what corporate details should I necessarily leave out?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

The short answer is that while it is potentially legal to discuss a breach response, whether you can discuss it publicly and to what extent will depend heavily on the political climate at the company and whether the company is facing litigation as a result of the breach. Assuming that the company is in fact facing litigation, then you likely will not be permitted to air details until the case(s) are fully resolved. Even if the company isn't facing litigation, many companies are wary of publicly discussing breaches due to fear of negative publicity.

So, in order to get permission, you'll need to have a solid justification that overcomes this fear. I've found that two particular avenues are effective in this sort of situation. One is to spin the incident as a positive demonstration of the skill and care of the company, as well as a competitive advantage. At this point, everyone knows that companies have breaches, and you've shown that your company has the ability to handle incidents quickly and properly.

The other tact that I have found effective is to argue that by sharing this information, other security teams can learn from your experiences and improve their own incident response skills. The advantage of this method is that it's possible to sanitize out the name of the company and any identifying characteristics while still preserving the important lessons learned.

Generally speaking, eliminating the name of the company is sufficient unless it is the only company filling a particular niche. In publications, companies that have suffered breaches are often referred to as "a large financial institution" or "a mid-sized health care company," which gives readers an idea of how relevant the breach take-aways might be without overly exposing the actual company.

More information:

This was first published in December 2008