On Wednesday, April 29, 2015, the Department of Justice Computer Crime & Intellectual Property Section (CCIPS) Cybersecurity Unit issued guidance on best practices for responding to data breaches. DOJ released its “Best Practices for Victim Response and Reporting of Cyber Incidents” at an invitation-only round table hosted by Assistant Attorney General Leslie Caldwell at the Robert F. Kennedy Main Justice Building in Washington D.C.
As described by AAG Caldwell, the document provides “best practices for victims and potential victims to address the risk of data breaches, before, during and after cyber attacks and intrusions.” The guidance reflects the experience of federal prosecutors and investigators, and incorporates insight from private sector entities that have managed cyber incidents.
The 15-page best practices guidance is divided into four sections: (1) Steps to Take Before a Cyber Intrusion or Attack Occurs; (2) Responding to a Computer Intrusion: Executing Your Incident Response Plan; (3) What Not to Do Following a Cyber Incident; and (4) After a Computer Incident. Included is a “Cyber Incident Preparedness Checklist” which lists significant points from the four main sections. The document also references the National Institute of Standards and Technology (NIST) Cybersecurity Framework as excellent guidance for risk management planning and policies.
Consistent with the NIST Cybersecurity Framework, the DOJ guidance recommends that, prior to any information security incident, organizations conduct risk assessments to identify and prioritize critical assets, data and services. Risk assessments can help organizations shape incident response planning. The guidance recommends that organizations develop an incident response plan of action that has specific, concrete procedures to follow in the event of a cyber attack. Once a plan is developed, organizations should test the plan with “table top” exercises, and continually update the plan to reflect changes in personnel and structure. Organizations should also ensure that they maintain necessary technology to detect and respond to cyber attacks.
The guidance also recommends that organizations engage counsel familiar with legal issues associated with cyber incidents. As referenced in the guidance, many organizations retain outside counsel who specialize in data breach related legal services. Having outside counsel in place prior to an information security incident can speed an organization’s response to an incident and ensure it complies with the organization’s legal obligations under the 47 different data breach notification statutes and the relevant regulatory regimes.
The guidance recommends a number of basic steps to be taken during an attack, as well as the admonition to not use compromised systems to communicate, and to not “hack back” or intrude upon the suspect’s network. “Hacking back” may violate a number of laws, and since many intrusions are launched from compromised systems, “hacking back” can damage or impair another victim’s system. The guidance also recommends that victim organizations continue monitoring their networks after a cyber attack for any anomalous activity and to make sure intruders have been expelled. It also recommends a post-incident review to identify deficiencies in planning and execution of the incident response plan.
During the round table discussion, AAG Caldwell stated “Put simply, at the Criminal Division we see ourselves as engaged in a long-term battle against cybercrime – a battle that we will only meet with success if we collaborate with all of you as we surmount obstacles and design innovative solutions.” The primary challenge to this collaboration is the potential use of information by federal regulators to pursue enforcement actions against victims of criminal intrusions. A victim business who fully cooperates with federal law enforcement and shares real-time cyber threat information that may benefit others, should not later be faced with an enforcement action in which their cooperation is used against them. The round-table and best practices guidance are positive steps toward resolving this tension.