On Wednesday, April 29, King & Spalding Partner Phyllis Sumner and Counsel Nick Oldham participated in DOJ’s first Cybersecurity Industry Roundtable regarding data breaches. The Roundtable included several notable DOJ and law enforcement participants including newly confirmed Attorney General Loretta Lynch, Assistant Attorney General for the Criminal Division Leslie Caldwell, Assistant Attorney General for the National Security Division John Carlin, Acting Assistant Director of the FBI Cyber Division James Trainor, and U.S. Secret Service Special Agent in Charge of the Criminal Investigative Division Stuart Tryon. The Roundtable provided several takeaways, including DOJ’s and law enforcement’s goal of treating companies harmed by computer intrusions as victims, as well as other takeaways.
During the Roundtable, DOJ released guidance titled “Best Practices for Victim Response and Reporting of Cyber Incidents.” The guidance provides a checklist of steps that companies can take before, during, and after a security incident, and describes those steps. The steps include, among other things, having an actionable incident response plan in place before an incident, aligning other internal policies with the incident response plan, and retaining counsel that is familiar with legal issues associated with cyber incidents. The specific guidance can be found online.
The guidance also restates DOJ’s position regarding network monitoring and offensive actions colloquially known as “hacking back.” With respect to network monitoring, DOJ states that “[r]eal-time monitoring of an organization’s own network is typically lawful if prior consent for such monitoring is obtained from network users,” such as through network warnings or log-in banners. With respect to hacking back, DOJ states that “[a] victimized organization should not attempt to access, damage, or impair another system that may appear to be involved in the intrusion or attack,” because “[r]egardless of motive, doing so is likely illegal[.]”
The guidance appears aimed at maximizing DOJ’s ability to investigate and prosecute cyber criminals, but state and federal regulators might look to the guidance as a roadmap for steps companies should take in implementing reasonable security practices.