Just a few general comments on the ongoing discussion. 1) The discussion itself is very worthwhile, even though it's probably very little help to the person who originally asked for help. Among other things, the differring points of view show that this is not a trivial issue or one that has a pat solution. 2) The discussion points out very clearly that the most important factor in responding to an incident is being prepared ahead of time. Without a corporate policy, a well prepared incident response team, proper lines of communication with law enforcement, adequate knowledge of the laws, commitment by top management, technical capabilities, and other similar things, response is likely to be inadequate. 3) It seems clear from the discussion that the people making posts to the list are not fully aware of the current environment. Several of the postings have demonstrated some limited knowledge of legal issues and several of the postings have ignored technological limitations of most organizations. Nobody started their commentary (on the list) by asking questions about the organization. Without understanding the nature of the organization, it's almost certain that any advice could only succeed by pure luck. I'm sure there are other issues that I have ignored here, but I thought it might be helpful to brush over these three areas because they are commonly missed issues in incident response. -- -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236