Last week, in conjunction with the Criminal Division’s Cybersecurity Industry Roundtable, the U.S. Department of Justice released its “Best Practices” guide for preparing for and responding to a cyber incident.  According to remarks by Assistant Attorney General Leslie R. Caldwell at the Roundtable, one study found that “the United States is number one in data breaches world-wide – accounting for about 76 percent of all incidents in 2014” and another study “estimated the annual cost of cybercrime at no less than $400 billion.” Due to the rapid increase in number and costs of these incidents, the Justice Department has increased its focus and outreach and visited with numerous members of the corporate sector, private bar, computer security researchers, industry groups and trade associations, financial institutions and others to encourage cooperation and collaboration in the fight against cybercrime.

These Best Practices “reflect[] lessons learned by federal prosecutors while handling cyber investigations and prosecutions” and incorporate input from private sector companies who have experienced a cyber breach. While this living document will be updated as cybersecurity challenges evolve and solutions are refined, it will undoubtedly set the minimum standards when a company faces a breach and/or related litigation.

The Best Practices are broken into three segments: 1) Steps to Take Before a Cyber Intrusion or Attack; 2) Responding to a Computer Intrusion; and 3) What Not To Do Following A Cyber Incident. Key guidelines include:

  • Identify your most critical cyber assets/risks or “crown jewels.”
  • Implement and test a detailed and practical action plan that includes assignments of responsibility, forensic preservation, and a notification plan.
  • Have the necessary consents to permit monitoring of your own systems and the necessary technology lined up to deal with any breach.
  • Ensure that legal counsel is familiar with your technology, applicable laws and response plan.
  • In the event of an actual or suspected breach, perform an initial assessment, implement measures to confine the breach and minimize further damage, record and forensically collect the necessary information and evidence, and log all response steps.
  • Notify the necessary people within the organization, law enforcement, the Department of Homeland Security, and potential victims, and ensure compliance with all applicable state breach notification laws.
  • Do not use a compromised system to communicate about the incident, the response or anything else.
  • Do not engage in “hacking back.”

As outlined in the Best Practice guidelines, a cyber breach action plan is a critical component of any preparation and response to a cyber incident. To read the complete set of Best Practices, click here.