I am not a lawyer, and this is not legal advice, but... General rule is to always notify the credit card companies, and to notify legal. One/both/neither may advice law enforcement activity. In either case, your PCI-required Incident response plan is required to do certain isolation steps explicitly to aid in digitial forensics if an investigation is needed. As for how many - thats a legal question, but under California breach laws, any breach must notify the affected person(s), and over 500 has additional requirements - and those numbers do provide a sane precedent to fall back to.
Also, reporting to an FBI office is a good move to provide a liability shield to your company, as you did follow due diligence. If the FBI does not follow up, thats not your problem. On Wed, Jan 11, 2017 at 7:39 AM, Keith Stokes <kei...@neilltech.com> wrote: > What advice does your QSA have regarding writing the policy? > > There are generic templates available to write your company security > policy. That policy doesn’t necessarily constitute legal definitions or > requirements for any sort of breach, which may vary by locale and provider. > I’m assuming EDUs will have their own set of rules as may non-profits. > > At best you will want to pass legal responsibility out of technical hands > into C-Level/management hands to make decisions about whom is notified, > what legal actions and third parties are called in. Your security policy > can define when the buck is passed and left to a given committee. > > On Jan 11, 2017, at 9:23 AM, Matt Freitag <mlfre...@mtu.edu<mailto:mlfre > i...@mtu.edu>> wrote: > > Adding to what Rich said, it's very easy for advice on this to cross into > advice on legal matters. > > It's also usually very illegal for non-attorneys or non-licensed attorneys > to offer advice on legal matters. > > I recommend finding a lawyer with expertise in this area and who has > specific knowledge of your operation. > > Matt Freitag > Network Engineer I > Information Technology > Michigan Technological University > (906) 487-3696 <%28906%29%20487-3696> > https://www.mtu.edu/ > https://www.it.mtu.edu/ > > On Wed, Jan 11, 2017 at 10:19 AM, Rich Kulawiec <r...@gsp.org> wrote: > > On Wed, Jan 11, 2017 at 09:37:19AM -0500, David H wrote: > Anyone have pointers/advice on what you came up with for a reasonable > definition of events that warrant involving law enforcement, and then > what > agency/agencies would be contacted? > > This question is best answered by an attorney with expertise in this area > and with specific knowledge of your operation. > > ---rsk > > > > --- > > Keith Stokes > > > > >
