1 Reply Latest reply on Jan 13, 2012 12:56 PM by rvasquezgt

    When should you go public with a breach?


      Whether to go public with a breach is very simple, because almost every state now has a data breach clause which states that if a consumer of the state is affected, then you’re going to have to put it out and notify the attorney general in most instances. If a breach involves PCI, you need to notify your acquiring bank or putting out media relations to your customers or for the public in general. It’s a very tough decision to make. In most cases, I wouldn’t go public until the issue has been resolved unless you need help from authorities. In the example of the online gaming company I talked about earlier, we needed the help of the FBI to help out with one particular aspect. When you need to get them involved, they’ll tell you when you need to go public.


      I would ensure that you have all the information you need before you go public. It’s a lot better if you go to the media before they find out, otherwise it can get very messy. To put something out there to suggest that you’re having issues, you’re looking into it, helps. You don’t even have to say that you’ve had a breach, just that there are some operational issues. Just don’t put something out there until you’re absolutely sure, because you cannot take it back.


      If and when you go public with a breach, don’t hold back with any information and do a full disclosure. For example, if you tell the media that credit cards were breached but don’t tell them that this happened 3 months ago, the press will find out at a later point and the story will be in the news longer because of this. 


      Note: This question was transcribed from the recording of the webinar "Security War Stories: Life on the Front Lines of a Breach". To listen to the full recording, go here.

        • Re: When should you go public with a breach?

          Wow nice question, my answer was "Depends on your purposes" If You find some breach that it's from a software provider on my opinion you must communicate to the provider, and public when the flaw was fixed, but if You want to get neutral you can make it public, I think public will make the providers of software work more fast to solve, some providers just ignore the notifications and some months later you can get a big surprise that the software have's the same bug, but in the case of Credit Cards that breach can be really dangerous for the users, in that case in my opinion the best action is to notify to the bank, to the source (visa, master, etc.), and to financial authority's of your country, my opinion,