The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.
Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.
Many of the areas where we have seen companies struggle involve management-level strategic decisions that must be made when a security incident is identified. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities.
While there may be no right or wrong answer, in our experience executives that have anticipated these decision points before a breach are better able to make decisions that align with the organization’s overall strategic goals and are able to do so with greater speed and confidence.
Situation. Several different agencies have jurisdiction to investigate cyber crimes. On the federal level the two most common enforcement agencies are the Federal Bureau of Investigations and the United States Secret Service. Although in our experience most FBI and USSS investigators are respectful of the numerous factors that a company must consider when cooperating with law enforcement, some investigators request a level of cooperation that may injure the company, its business contacts, or consumers. For example, some of our clients have received requests from law enforcement to look at logs or servers that may house sensitive personal information about consumers who were not impacted by the incident and about which the organization may have contractual or legal requirements not to share information with government agencies absent notifying each data subject.
Strategic considerations: Management typically considers the following factors when determining the degree to which your company can/should cooperate with law enforcement:
- Loss of Access to Evidence. Many law enforcement agencies will not return evidence once it is in their possession. As a result, if a law enforcement agency requests a server, smartphone, or other electronic device you may lose the ability to conduct your own investigation of the device if the original is provided to them.
- Lack of Bi-lateral Cooperation. Different law enforcement agents are willing to provide different levels of information to victim companies. Put differently, some law enforcement agencies may request data or information from your company, but are unwilling to share any information that they develop from that data or information with your company.
- International Implications. Some countries – particularly the European Union – have voiced concern with the level of government access to personal data that exists within the United States. As a result, multi-national companies that operate in the European Union must consider not only the legal permissibility of sharing information with United States government agencies, but the potential political impact as well.
- Company as the Target. Although many law enforcement agencies realize that organizations are victims of data breaches, some investigators still consider law enforcement actions against companies that they believe did too little to protect information prior to the breach. If your company is a potential target you may want to carefully examine your level of cooperation with an investigator.
- Destruction of Privilege. Although the CyberSecurity Act of 2015 was designed to permit a company to share privileged information with law enforcement without waiving the privilege, the act has important limitations particularly when it comes to sharing information with state law enforcement.