Matt Fisher has a post on a topic near and dear to DataBreaches’ heart: how much detail to include in a brief notification. Matt covers the minimum requirements, as mandated by HIPAA, but then starts to consider more complex situations. He writes, in part:
Without being able to cover every scenario or nuance, there are some instances when more detail could be called for. One example is when a security researcher provides information about data being available or exposure occurring. An independent security researcher should be considered a more reliable source than a cyber-attacker posting notice of having data (that will be addressed next) and approaching the researcher with a shoot-the-messenger mentality is not productive. If information is provided about an issue, that information can be used to formulate the description of the breach incident. While it is probably not necessary to use all of the information, it is helpful to consider adding in more than a statement that an issue occurred.
The decision to get more detailed could also be influenced by the independent actions of the researcher.
Read more at The Pulse.