Advice re network compromise and "law enforcement" (PCI certification)
cheetahmorph at gmail.com
Wed Jan 11 23:29:43 UTC 2017
I am not a lawyer, and this is not legal advice, but...
General rule is to always notify the credit card companies, and to notify
legal. One/both/neither may advice law enforcement activity. In either
case, your PCI-required Incident response plan is required to do certain
isolation steps explicitly to aid in digitial forensics if an investigation
is needed. As for how many - thats a legal question, but under California
breach laws, any breach must notify the affected person(s), and over 500
has additional requirements - and those numbers do provide a sane precedent
to fall back to.
Also, reporting to an FBI office is a good move to provide a liability
shield to your company, as you did follow due diligence. If the FBI does
not follow up, thats not your problem.
On Wed, Jan 11, 2017 at 7:39 AM, Keith Stokes <keiths at neilltech.com> wrote:
> What advice does your QSA have regarding writing the policy?
> There are generic templates available to write your company security
> policy. That policy doesn’t necessarily constitute legal definitions or
> requirements for any sort of breach, which may vary by locale and provider.
> I’m assuming EDUs will have their own set of rules as may non-profits.
> At best you will want to pass legal responsibility out of technical hands
> into C-Level/management hands to make decisions about whom is notified,
> what legal actions and third parties are called in. Your security policy
> can define when the buck is passed and left to a given committee.
> On Jan 11, 2017, at 9:23 AM, Matt Freitag <mlfreita at mtu.edu<mailto:mlfre
> ita at mtu.edu>> wrote:
> Adding to what Rich said, it's very easy for advice on this to cross into
> advice on legal matters.
> It's also usually very illegal for non-attorneys or non-licensed attorneys
> to offer advice on legal matters.
> I recommend finding a lawyer with expertise in this area and who has
> specific knowledge of your operation.
> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696 <%28906%29%20487-3696>
> On Wed, Jan 11, 2017 at 10:19 AM, Rich Kulawiec <rsk at gsp.org> wrote:
> On Wed, Jan 11, 2017 at 09:37:19AM -0500, David H wrote:
> Anyone have pointers/advice on what you came up with for a reasonable
> definition of events that warrant involving law enforcement, and then
> agency/agencies would be contacted?
> This question is best answered by an attorney with expertise in this area
> and with specific knowledge of your operation.
> Keith Stokes
More information about the NANOG