The Department of Justice’s Cybersecurity Unit recently released its report outlining best practices for responding to and reporting cyber incidents. See Best Practices for Victim Response and Reporting of Cyber Incidents, Version 1.0 (April 2015). The report applies broadly to organizations with internet connections, and emphasizes the need to create a plan before an incident occurs. It reflects input from federal prosecutors that have handled cyber investigations as well as from the private sector. Although the guidance applies to organizations of any size, the report was prepared to assist smaller organizations.

Prior to a cyber incident, businesses should identify their most critical needs and resources, and make protecting those a priority to avoid catastrophic harm. The report identifies the National Institute of Standards and Technology (NIST) cybersecurity framework as a guide to risk management planning and policies. Organizations should implement an “actionable” plan that provides specific, concrete procedures to follow in the event of a cyber incident. The plan should detail such items as: the roles of various personnel in the response; how to contact critical personnel; how to proceed if critical personnel are unreachable; what data, networks or services are most important; how to preserve data in a forensically sound manner; who should be notified of the intrusion; procedures for notifying law enforcement and any other relevant persons.

The report also indicates what not to do following a cyber incident. An organization that falls victim to a cyber attack should not use the compromised system to communicate, and should not hack into or damage another network. If a victim organization must use its compromised system, it should encrypt communications and instruct employees not to disclose incident-specific information to unknown persons. Finally, the report states that even if another organization’s system appears to be involved in the same attack, a victimized company should not attempt to access or impair the other system, as it could expose the company to claims of liability, regardless of motive.