Whether to go public with a breach is very simple, because almost every state now has a data breach clause which states that if a consumer of the state is affected, then you’re going to have to put it out and notify the attorney general in most instances. If a breach involves PCI, you need to notify your acquiring bank or putting out media relations to your customers or for the public in general. It’s a very tough decision to make. In most cases, I wouldn’t go public until the issue has been resolved unless you need help from authorities. In the example of the online gaming company I talked about earlier, we needed the help of the FBI to help out with one particular aspect. When you need to get them involved, they’ll tell you when you need to go public.
I would ensure that you have all the information you need before you go public. It’s a lot better if you go to the media before they find out, otherwise it can get very messy. To put something out there to suggest that you’re having issues, you’re looking into it, helps. You don’t even have to say that you’ve had a breach, just that there are some operational issues. Just don’t put something out there until you’re absolutely sure, because you cannot take it back.
If and when you go public with a breach, don’t hold back with any information and do a full disclosure. For example, if you tell the media that credit cards were breached but don’t tell them that this happened 3 months ago, the press will find out at a later point and the story will be in the news longer because of this.
Note: This question was transcribed from the recording of the webinar "Security War Stories: Life on the Front Lines of a Breach". To listen to the full recording, go here.