Another federal agency has weighed in with “guidance” on cybersecurity preparation and breach response.  The Department of Justice (DOJ) is the latest to issue guidance on how companies should respond to data breaches.   The guidance is not perfect, and in some respects is simply a recitation of existing best practices, but it is still valuable because it signals the government’s increased willingness to foster public-private cooperation against cybercrime, and it sets out the DOJ’s latest thinking on responding to cyberattacks.  

Common Sense Advice

Embracing much of NIST’s recently published Cybersecurity Framework, the DOJ guidance provides several useful tips and some common sense advice to businesses as they prepare for cyberattacks. The guidance also has a useful check-list that many smaller businesses or start-ups may find useful as they develop their privacy and data-security infrastructure.

The DOJ’s first recommendation is that companies develop robust incident response plans prior to a breach (i.e. now). Such plans should identify key corporate assets, clearly establish lines of control and communication, inventory available technical resources and ensure their availability during an attack, have identified and retained experienced counsel with knowledge of relevant laws and practices, and have a working relationship with the FBI, Secret Service, and industry cyber intelligence sharing organizations.

Second, the guidance outlines a four step process for responding to a cyberattack.

  • The first step is making an initial assessment of the scope and nature of the incident.
  • Next, a business should implement measures to wall off the attack through rerouting network traffic, filtering, and enhanced segmentation of compromised systems.
  • Third, business should record and collect evidence of the attack, and take steps to preserve such evidence prior to undertaking remediation efforts.
  • Finally, and unsurprisingly, the guidance advises businesses to always notify law enforcement of an attack (more on this below).

Finally, the guidance sets out what companies should not do in the event of a cyberattack. A key warning here is that businesses should not “hack-back” or attempt to penetrate or damage an attacker’s systems.   This warning is well taken—penetrating another system, even one believed to be involved in maliciously compromising a network, may expose individuals or business to criminal liability under the Federal Computer Fraud and Abuse Act, or to civil damages and penalties.

Limitations of the DOJ’s Guidance

Any pre-scripted guidance, even guidance from the DOJ, should be taken in context. Cybercriminals target and exploit gaps in a company’s security and compliance controls. This means that even the best organized companies, with the best laid plans, can struggle to respond to a cyberattack that exploits a loophole, a gap, or an unchallenged assumption. To address this reality, companies should—as the DOJ recommends—engage experienced counsel, but they should also develop a relationship with cybersecurity and forensic experts—like Cylance, Mandiant, or KPMG—who can not only provide pre-breach intelligence and planning assistance, but can also be quickly available to help respond to a breach.

The DOJ’s guidance is also silent on a key element of pre-breach planning: war-gaming. Companies developing incident response plans should routinely test those plans in simulated war-games and table top exercises with all stakeholders. This process helps companies identify issues and ensure all stakeholders understand their respective roles and responsibilities. The Mintz Privacy team has been recommending that for a while.  You test your disaster response plan; if you have an incident response plan, you should test it.

Finally, the DOJ’s recommendation that law enforcement should be contacted immediately if criminal activity is suspected is open for debate. While we applaud the DOJ, and the FBI and Secret Service, for taking steps to minimize business disruptions and liability concerns, and we appreciate the need for enhanced public-private cybersecurity cooperation, any decision to provide notice to law enforcement should only be taken after a company has consulted counsel and carefully assessed its notification requirements under existing state data breach notification laws. To be clear, we believe that companies should cooperate with law enforcement; however,  such cooperation should be carefully considered.