Nationwide Insurance uses lawyers to protect details of October security breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.theverge.com/2013/4/1/4170214/nationwide-insurance-covers-massive-security-breach-details-attorney-client-privilege

Nationwide Insurance wants to keep possible weaknesses in its digital
infrastructure under wraps as state and federal investigators look
into its October security breach that left 1.1 million Americans'
information exposed. The company has hired a legal firm to conduct an
investigation of the security breach, granting the results the
protected secrecy of attorney-client privilege, reports The Wall
Street Journal. The new practice is being adopted by many companies
that have fallen victim to cyberattacks, leading some law firms to
begin specializing in this type of data-breach investigation.
Frequently, the legal counsel will contract a data security firm to
perform the actual analysis.

Nationwide's move may protect it from disclosing potentially harmful
findings, but it's possible that a third-party investigation — whose
results would be public, not private — could still be mandated. The
company's reticence comes as the US government ispushing for greater
openness from private firms as the risk of a major cyberattack rises.
Nationwide may decide to share information found during the
investigation, but having legal counsel will allow the company to more
carefully consider any findings that it wishes to publish.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.