In a recently published white paper, Best Practices for Victim Response and Reporting of Cyber Incidents,1 the Cybersecurity Unit of the Department of Justice's Computer Crime & Intellectual Property Section (CCIPS) encourages companies to plan how to prepare for and respond to an attack before a cyber incident occurs. The white paper lays out useful guidance for handling cyber incidents that builds on the best practices that the National Institute of Standards and Technology (NIST) recommends in the Computer Security Incident Handling Guide2 and the Cybersecurity Framework.3 It offers practical suggestions that can help companies develop processes for responding to data breaches, although a company's incident response plan and policies should address additional issues not discussed in the white paper.
The white paper reinforces that federal law enforcement authorities tend to view a company hit by a cyber attack as a victim-and not the perpetrator-and encourages companies to cooperate with federal law enforcement, both before and after a cyber incident occurs. This push for cooperation is a familiar one-the Department of Justice struck the same chord during two recent roundtables, the Active Cyber Defense Experts Roundtable 4 on March 10, 2015 and the Cybersecurity Industry Roundtable on April 29, 2015. The Department of Justice is encouraging companies to establish ongoing relationships with law enforcement before they are hit with a cyber attack or intrusion in order to facilitate future communication and information sharing. Once an incident occurs, the white paper suggests that organizations notify federal law enforcement if the organization suspects criminal activity.
The white paper discusses potential benefits that a company may enjoy by engaging federal law enforcement early in an incident investigation. For example, the white paper mentions that companies may benefit from federal law enforcement's access to specialized forensic tools and legal authorities or international partnerships that may help to identify and capture an attacker. It notes that regulators may look favorably on companies that cooperate with law enforcement regarding a suspected breach. The white paper also observes that some state data breach laws allow delays for mandatory notifications to affected customers depending on law enforcement's assessment of the breach and the effect the report would have on an investigation. Before deciding on when and what to report under state data breach laws, however, companies should consult legal counsel to evaluate the specific facts.
While the white paper gives companies a starting point, companies trying to develop their own breach response plans will do well to evaluate a host of other issues that the white paper does not address. For example, in communicating with or engaging outside consultants when dealing with a breach, companies will want to consider how to protect confidentiality where possible. Using legal counsel to engage outside security professionals hired to audit or investigate a suspected incident may help maintain privilege. Also, trying to maintain the privilege where appropriate should be a key consideration in formulating any communication plan with federal law enforcement. Counsel can also help coordinate information released to the press and other public communications.
This privilege concern is especially important given that other federal (or state) regulatory enforcement agencies may not share law enforcement's view that companies that have had a data breach should be considered victims of criminal activity. For example, the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) may instead view such companies as targets for an enforcement action for failure to protect consumers' private information. Moreover, companies may also face class action litigation from customers who were affected by the breach.
Summary of Best Practices Identified By CCIPS
Before an Incident:
- Identify critical assets requiring additional protective measures
- Review and adopt risk management practices for cybersecurity
- Create, test, and update an actionable incident response plan
- Employ technology to detect incidents and mitigate potential damages
- Establish policies for monitoring of internal networks
- Consult legal counsel experienced with the legal issues surrounding incidents
- Implement policies and procedures consistent with the incident response plan
- Develop relationships with outside entities that may assist in responding to an incident
During an Incident:
- Assess the scope and nature of the incident
- Mitigate ongoing damages, consistent with the established incident response plan
- Gather and preserve data from the incident
- Notify appropriate stakeholders and incident response partners
After an Incident:
- Monitor for renewed activity that may indicate the incident is ongoing
- Review lessons learned from executing the incident response plan
Overall, CCIPS' white paper presents a number of potential best practices for companies to consider in developing their own incident response plans. Companies would do well to compare their existing policies with these best practices during regular audits of their information security practices.
Companies should also seek guidance from legal counsel experienced in information security matters and in coordinating with law enforcement. Counsel can help tailor a company's cybersecurity practices to the risks and business needs of the company. Planning for every stage of a cyber incident needs to be
tailored to the specific circumstances involved. The Department of Justice white paper offers helpful suggestions to guide companies through this process.