The recently formed Cybersecurity Unit of the Criminal Division of the Department of Justice (the “DOJ”) recently issued guidance regarding best practices for organizations to protect against and respond to cybersecurity risks. The guidance, titled “Best Practices for Victim Response and Reporting of Cyber Incidents,” was drafted with smaller organizations in mind, but has relevance to larger ones as well.
WHAT TO DO IN ADVANCE OF A BREACH
The DOJ urges organizations to prepare an incident response plan before a breach occurs, and recommends that an organization do the following:
- Identify, prioritize and provide greatest protection for critical assets;
- Develop and test actionable incident response plan that identifies steps an organization will take in the event of a cybersecurity incident, including personnel responsible and communication protocols, among other things;
- Have in place, or have readily available, the technology and tools necessary to respond, including data recovery tools and intrusion detection capabilities, among other things;
- Ensure that legal counsel is available and well-acquainted with technology and relevant privacy and cybersecurity laws;
- Monitor systems communications after obtaining user’s prior consent;
- Put in place appropriate corporate (HR and IT in particular) policies to minimize “insider threats”;
- Establish relationships with law enforcement and cyber information sharing organizations.
HOW TO RESPOND IF A BREACH OCCURS
As the DOJ explains, an incident response plan should not just lay out the procedures for managing a breach, but also how an organization can continue to function if an incident occurs. The DOJ urged organizations that suffer an intrusion to:
- Assess the incident to determine if it was a malicious act or a technological glitch;
- Take action to mitigate damage, such as by rerouting network traffic or isolating all or parts of the compromised network;
- Collect evidence and information relating to the incident, including copying the impacted hard disk, preserving logs of network activity, recording steps taken by the organization, as well as activity related to ongoing attack; and
- Notify relevant parties, including appropriate internal personnel, law enforcement, customers and other potential victims (for example another company whose data was stored on the affected network).
HOW NOT TO RESPOND AFTER A BREACH
The DOJ emphasized the importance of avoiding use of the affected system. If the system must be used, the DOJ counsels that the organization should encrypt communications. Lastly, the DOJ emphasizes that an organization that suffers an attack should not respond in kind to another system it suspects was involved in the attack.
Once the cybersecurity incident seems under control, the DOJ urges ongoing vigilance and continued monitoring of systems for anomalous activity. The DOJ also recommends that an affected organization conduct a post-incident review of the response to identify and address deficiencies.
The recommendations made by the DOJ are not mandatory, but they do touch on a number of important issues organizations should consider to combat cybersecurity risks. One of the first, and most important, steps in meeting these challenges is developing and maintaining an incident response plan that can help an organization ward off and/or manage through a cybersecurity threat. By being prepared, an organization is more likely to be able to mitigate the impact of a breach - both from a business and legal exposure standpoint.