How To Manage a Security Breach?

Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."

No Brainer

[ReidMaynard]

Since he consults, he does not set policy. He informed management (best keep a record(s) of that), it's their call.

Re:Easy

[MyLongNickName]

Just noticed that he "consults" for the company, not works for it. This being the case, he has absolutely no say in the decision. The only thing I can say: cover your ass. Get everything in writing. If you have a verbal conversation, follow it up with an e-mail. Remember... shit flows downhill. They WILL try to find a way to shift the blame. Make sure you do not become the scapegoat.