As discussed previously, there are several legal and compliance requirements that need to be taken into consideration when discussing the notification of customers or the general public about an incident. Organizations may have to ride a fine line in terms of complying with the requirements of regulations such as HIPAA, without disclosing operational details of an incident still under investigation. Compounding this pressure are the possible implications on stock value or the potential for lost business. With all these pressures, it is critical to craft a message that is within the legal or compliance requirements but that also limits the damage to the organization's reputation, revenue, or stock value.

While directly related to the incident at hand, the CSIRT should not be responsible for crafting a public notification statement. Rather, the CSIRT should be available to provide insight into the incident investigation and to answer any questions. The two best business units that should be involved in crafting a message are the legal and marketing departments. The marketing department would be tasked to craft a message to limit the fear of backlash from customers. The legal department would be tasked to craft a message that meets legal or regulatory requirements. The CSIRT should advise as far as possible, but these two business units should serve as the point of contact for any media or public questions.