-
Data breach notification press releases are legally required in most states and are published on wire services and the company's own newsroom -- both of which rank well in Google and persist indefinitely.
-
The press release itself cannot usually be removed without legal review -- but it can be de-emphasized through strategic counter-content and Google de-indexing of third-party copies.
-
News articles written about the breach in the days following the disclosure are separate from the press release and have different removal paths -- both tracks need to be addressed.
-
After 3+ years, outdated content removal requests to Google become viable for both the press release and the news articles, on the grounds that the breach is resolved and the information no longer serves current public interest.
The Two Tracks of a Data Breach's Reputation Problem
Companies that have experienced a data breach face a search result problem that comes from two distinct sources. Understanding the difference matters because the removal paths are completely different -- and conflating them leads to misdirected effort.
Track 1 -- The Company's Own Press Release
This is the notification issued by the company itself, distributed via wire service (PR Newswire, Business Wire) and published on the company's newsroom page. It was required. It ranks. It includes the company name in the headline, the number of records affected, and the types of data compromised -- all of which are searchable and surfaced in Google snippets. When a prospect or partner searches the company name, this press release can appear immediately -- sometimes above the company's own homepage -- because wire services carry high domain authority and the press release title typically contains the company name plus the words "data breach."
The wire service copy and the company newsroom copy are technically separate URLs, but they describe the same document and rank for the same searches. Both need to be addressed. The good news: the company has direct authority over both. It is the submitter of record on the wire service and the owner of the newsroom page.
Track 2 -- News Coverage of the Breach
TechCrunch, Krebs on Security, local business press, trade publications -- these covered the breach independently, in their own words, often with editorial framing that goes beyond what the press release said. They are separate from the press release and require separate editorial removal or de-indexing requests. A news article from a major technology publication can rank even higher than the original press release and is harder to remove because the company has no submitter rights over third-party journalism.
This article focuses primarily on the company's own press release and wire service copies. The news coverage track follows the standard news article removal process, which involves editorial outreach to the publication and Google de-indexing requests. Both tracks need to be worked simultaneously for a complete breach reputation recovery.
Can You Remove Your Own Breach Notification Press Release?
The short answer is: in most cases, yes -- and most companies never realize this. There is a common misconception that because the press release was legally required, it must remain publicly accessible forever. That is not accurate in most jurisdictions.
Most state breach notification laws require that companies notify affected individuals and, in some states, the state Attorney General. They do not generally require that the notification remain permanently published on a wire service or company website. The notification requirement is typically satisfied at the time of disclosure -- keeping the press release live indefinitely is not a legal requirement. It is simply what happens when no one revisits the decision after the breach response is complete.
This means: removing or de-emphasizing the press release after the statutory notification period is, in most cases, legally permissible. The company should confirm with its legal counsel before removing breach-related disclosures. Requirements vary by state and industry. Healthcare companies subject to HIPAA face additional layers. Companies in heavily regulated industries may have retention obligations that apply. But in most general commercial contexts, a press release published two, three, or five years ago has fulfilled its notification purpose and the continued live publication is simply inertia.
For SEC-reporting companies: 8-K filings with the SEC disclosing material breaches are permanent public records on EDGAR and cannot be removed. But the accompanying press release is a separate document -- a communication vehicle, not the regulatory filing itself -- and is generally removable. The 8-K will remain on EDGAR regardless of what happens to the press release.
"The breach notification is the disclosure. The press release is the vehicle. Once the notification period is satisfied and affected individuals have been notified, the continued live publication of the press release is a business decision, not a legal requirement. Most companies simply never revisit it -- but they should."
The Wire Service Copy Problem
Most breach notification press releases are distributed via PR Newswire or Business Wire, creating two high-ranking URLs -- the wire service copy and the company's own newsroom page. The wire service copy often has higher domain authority and may actually outrank the company's own site for searches on the company name.
The critical point: as the submitter of record, the company can request removal or correction from the wire service. This is not a request to a third-party publisher that has editorial discretion. This is a request to a distribution platform by the entity that paid to distribute the content and retains rights over it. Wire services have processes for handling submitter removal and update requests.
For PR Newswire copies, the company should contact Cision (which owns PR Newswire) through client support and identify itself as the original submitter. For Business Wire copies, contact Business Wire support directly. For wire service press release removal in detail, see our guide to removing press releases from PR Newswire and Business Wire.
Frame the request as a content update: the breach is resolved, systems are secured, all required notifications have been sent, and the press release no longer accurately reflects the company's current security posture or status. Wire services are generally responsive to submitter removal requests when the submitter can be verified and the request is well-documented.
Simultaneously with the wire service outreach, submit Google URL de-indexing requests for each wire service URL through Google Search Console. If the wire service removes the page, Google will eventually discover the 404 and de-index it. But submitting a direct de-indexing request through Search Console speeds the process significantly. For aggregator copies that syndicated the wire service content (Yahoo Finance, MarketWatch, MSN News), source removal followed by Google URL de-indexing is the correct sequence.
The Company Newsroom Page
The company controls its own newsroom page entirely, which means the options are broader here -- but the decision requires more nuance than simply deleting the URL.
Full removal: Technically simple -- the company owns the page and can delete it. The risk is that if a journalist, regulator, or plaintiff's attorney searches for the notification and finds it missing, questions may arise. Full deletion is the bluntest instrument. Mitigate this risk by keeping the notification in a compliance archive section of the website that carries a noindex tag rather than deleting the content entirely.
noindex tag (recommended): Adding a noindex meta tag to the press release page instructs Google to remove it from its index while the page remains accessible via direct URL. Anyone with the URL can still access the notification. Journalists, regulators, and auditors can still be directed to it. But it disappears from Google's search index within days to weeks of the tag being recognized. This is the recommended path for most companies -- it satisfies any need for the disclosure to remain accessible while removing it from name searches.
robots.txt exclusion: Less precise than noindex; excludes entire newsroom paths from Google crawling. Useful if the company wants to block an entire section rather than a single page, but noindex is preferable when targeting a specific press release while leaving the rest of the newsroom indexed.
Canonical redirect: Pointing the old press release URL to a current security page -- for example, the company's current security practices page or a summary of improvements made since the breach -- gives Google a signal that the content has been superseded by more current, authoritative information. This is a softer approach but can help suppress the press release in ranked results over time even without full removal.
Do not delete the breach notification press release entirely without consulting legal counsel. Some states require that breach notifications remain accessible for a specified period. The recommended path is noindex (keep accessible, remove from search) rather than deletion. This preserves the record for compliance purposes while removing the search visibility that causes ongoing reputational damage.
News Articles About the Breach -- The Separate Track
TechCrunch, Krebs on Security, and trade press articles about the breach are separate from the press release and require a completely different approach. These are third-party editorial pieces owned and controlled by the publication. The company has no submitter rights and no technical control over these pages.
The removal path for news articles involves direct editorial outreach to the publication, making the case that the article is factually outdated -- the breach is resolved, no further risk exists, systems have been secured and often independently audited, and the article's continued prominent search ranking causes ongoing harm without serving current public interest. For articles that are three or more years old describing a resolved breach, this is a strong argument that many publications are willing to hear.
When editorial removal is not possible, Google de-indexing requests based on outdated content grounds can be submitted through Google's Search Console tools. Google evaluates these requests on a case-by-case basis, but the likelihood of success increases significantly when the breach is demonstrably resolved, the content is several years old, and there is documented evidence of the company's current security posture. For a detailed walkthrough of how Google handles negative article removal requests, see our full guide on that process.
For a comprehensive breach reputation recovery, both tracks -- the press release track and the news article track -- need to be addressed in parallel. This article focuses on the press release. The news article removal process is covered separately and applies fully to breach coverage. If a data breach also triggered a class action lawsuit press release or an SEC enforcement action press release, those require their own separate removal strategies.
Regulatory Filings -- What Cannot Be Removed
Several categories of breach-related records are permanent government filings that no company can remove. Understanding what is off the table prevents wasted effort and allows the recovery strategy to focus where action is actually possible.
SEC 8-K filings (public companies): Public companies that disclosed a material data breach in an 8-K filing have a permanent record on EDGAR. EDGAR is the SEC's public filing database and is not subject to modification or removal by the filing company. These records may appear in Google searches for the company name combined with "data breach," but they cannot be removed. The 8-K itself is not the target of a removal strategy -- the press release and news articles are.
State AG notification filings: In states that require notification to the state Attorney General (California, New York, and others), those filings become part of the regulatory record. Many state AGs publish breach notification summaries publicly. These are government records and cannot be removed by the company.
HHS breach portal (HIPAA breaches affecting 500+ individuals): The HHS Office for Civil Rights publishes all HIPAA-covered breaches affecting 500 or more individuals on its public breach portal. This list -- sometimes called the "Wall of Shame" in the industry -- is a permanent federal record. HHS does not remove listings at company request. Healthcare companies dealing with an HHS breach portal listing should direct their removal and suppression strategy entirely at the press release, the wire service copy, and the news articles -- not at the federal listing.
FTC reporting (FTC-regulated entities): Companies that reported a breach to the FTC have created a compliance record that is part of the federal regulatory file. These records are not removable.
The practical takeaway: concentrate all removal effort on the press release (wire service copy and company newsroom page) and the news articles. These are the records that rank in Google, do the most ongoing reputational damage, and are actually addressable. For more context on what types of government press releases and public interest records are removable versus permanent, see our guide on government press release removal.
Breach Press Release Content -- Removal Difficulty by Type
| Content Type | Removal Approach | Difficulty | Notes |
|---|---|---|---|
| Company newsroom press release | Add noindex tag (keep accessible, remove from search) | Easy | Fastest path; keep for compliance archive; confirm with legal first |
| Wire service copy (PR Newswire / Business Wire) | Submitter removal request or correction | Moderate | Company is submitter of record -- has full rights; verify account access first |
| News articles (TechCrunch, trade press, Krebs) | Editorial removal request or Google de-indexing | Moderate-Hard | See separate news article removal process; stronger case after 3+ years |
| SEC 8-K filing (public companies) | Impossible -- permanent federal record | N/A | Suppression and counter-content only; 8-K is separate from press release |
| HHS breach portal (HIPAA, 500+ records) | Impossible -- permanent federal record | N/A | Suppression only; HHS does not remove listings at company request |
| Aggregator copies (Yahoo Finance, MSN, etc.) | Source removal + Google URL de-indexing | Moderate | Remove from wire service source first; aggregators typically drop content within weeks |
| Google search result (any copy) | Outdated content removal request (3+ years post-breach) | Moderate | Strongest argument after resolution is documented; submit through Search Console |
The 6-Step Breach Press Release Recovery Plan
-
1Audit all breach-related URLs ranking for your company name. Search your company name in incognito mode and document every breach-related result in the first three pages: the company newsroom page, the wire service copy, aggregator copies, and news articles. List each separately with its URL, domain, and approximate ranking position. This is your working inventory.
-
2Confirm with legal counsel that the notification period is satisfied. Before touching any breach disclosure, verify with your legal team that removing or de-emphasizing the press release is permissible under your state and industry requirements. In most cases the answer is yes -- but document the legal sign-off before proceeding.
-
3Add a noindex tag to the company newsroom press release page. This is the fastest and lowest-risk action. The page stays accessible via direct URL for compliance purposes but disappears from Google's index within days to weeks. This single step removes the company's own copy from search without destroying the record.
-
4Contact the wire service as submitter to request removal or update of the wire service copy. Simultaneously, submit Google de-indexing requests for each wire service URL and all aggregator URLs through Google Search Console. The de-indexing requests give Google direct notice; the wire service removal makes the underlying pages return 404s, which Google will eventually discover regardless.
-
5Address news articles separately using the editorial removal process. For articles that are three or more years old describing a breach that is fully resolved, the outdated content removal argument is strong. Editorial outreach to the publication, combined with Google de-indexing requests if editorial removal is declined, is the correct approach. See the full news article removal guide for the detailed process.
-
6Publish current security content to build positive, ranking counter-content. An updated security practices page, a summary of improvements implemented since the breach, third-party audit certifications or SOC 2 compliance documentation, and a security blog series give Google positive, current, authoritative content to rank for your company name. This counter-content strategy displaces remaining breach coverage from the top of search results even when removal is partial or slow.
The breach was years ago. Your security is stronger. Your Google results haven't caught up. We can help.
Talk to a SpecialistCommon Questions About Data Breach Press Release Removal
Your Google Results Are Stuck in 2021. They Don't Have to Be.
Your company addressed the breach. Your security is stronger. The press release ranking for your company name does not reflect where you are today. Our team has helped companies in every industry recover from breach-related search reputation damage.
Free assessment. Confidential. No obligation.