J. Edgar Hoover FBI Building, Washington, D.C. (Diego M. Radzinschi)
U.S. companies’ vulnerability to data security incidents through computer hacking has garnered unprecedented public awareness in the last 12 months. Given our increasing volume of user data generated in business and its significant value, hacking will remain a common feature in the data landscape. In one respect, the most sophisticated hack is no different than the first stagecoach robbery: A crime has occurred.
Both the Computer Fraud and Abuse Act and Stored Communications Act contain criminal penalties for certain violations (see 18 U.S.C. §§ 1030 & 2701, respectively) and, depending on the particular data taken from the victim, other federal statutes may be implicated as well. Therefore, in the rush to respond to the hack, the victim needs to assess whether the involvement of law enforcement is appropriate.
In our experience, we often see hacking victims hesitant to involve law enforcement. They fear law enforcement snooping around the company will soon lead to a knock on the door of a government regulator. This concern can start to outweigh the very real need to collect evidence, potentially find the perpetrator or determine if the attack is connected to other attacks or threat indicators that law enforcement is monitoring. What does a careful thought process look like to determine when and whether to involve the government?
As a first step, assess what data was accessed or exfiltrated. Hopefully, your organization is prepared with an Incident Response Plan (IRP) that can be put into place quickly, identifying key roles and leaders in the response. Your IRP should help you identify what information assets your company has and where they were stored, and thus whether the security of critical data was compromised. A best practice is to simulate an attack to see how the IRP works in a real situation. You don’t want to find out your IRP has problems when you are responding to a real hack.
Knowing the sensitivity of the data at risk should help you formulate next steps: If you can be assured that the only data that was compromised involves information that does not bear on personal privacy, business data or trade secrets, keeping the process in-house may be defensible. If, however, critical, business-sensitive information has been compromised or extracted (or if your systems are in a state such that you cannot make that determination), reaching out to the authorities for help becomes a better option.
You should also assess whether the security incident raises business concerns, regulatory concerns or both. Does the incident have the potential to violate privacy guarantees that your organization has made to customers? Will you need to provide notice to affected individuals? If so, keeping everything in-house may later carry the whiff of a cover-up if the incident becomes public, but having brought law enforcement into the mix shows that your organization is treating the event as the criminal invasion that it was.
As a final step, honestly assess your organization’s capabilities to investigate alone. Is your log retention sufficient that you can determine who accessed what data and when? Is your internal security team sophisticated enough to access and investigate various forms of network-based evidence—and not destroy that evidence in the process? Will you benefit from the potential trove of information that law enforcement might be able to provide you based on the tactic, technique or procedure of the attack?
In most cases, this analysis will weigh in favor of informing law enforcement. Generally, the first point of contact should be the FBI, which is the lead federal agency charged with investigating cyberattacks through its Cyber Division. Here in Atlanta, the FBI maintains a field office, with other satellite offices throughout Georgia. Network intrusions are one of the Cyber Division’s key priorities, and agents can help your organization coordinate with other relevant agencies, such as the Department of Homeland Security (DHS). The 2015 Cybersecurity Information Sharing Act (CISA), in particular, provides a framework for DHS to share cyber threat indicators to other relevant stakeholders with the goal of stopping and identifying malicious actors through increased information and awareness.
Remember that the FBI’s primary concern when called for a cybersecurity incident is catching perpetrators and stopping future incidents; FBI agents generally are not interested in scrutinizing your company or business practices for other potential violations. The FBI also is not responsible for turning information over to regulators, which is reassuring for many victims.
Remember that, if your organization is in an industry with regulatory breach reporting requirements (especially health care and finance), reporting to the FBI does not waive any of those direct reporting requirements. In some circumstances, where reporting may compromise the investigation or national security interests, the FBI can issue a “safe harbor” letter that will extend reporting deadlines beyond what you otherwise might have.
When dealing with the FBI, it is recommended that experienced outside counsel be involved from the first communication onward. Anything said to agents could become public during a civil suit or later investigation by regulators; therefore, you will want legal guidance when navigating this terrain.
Your engagement with the FBI does not make it your own private forensic team or relieve you of your own responsibility to investigate. You will still need to know where your own security broke down, where internal controls failed and what improvements are needed to your internal architecture to defend from future attacks. This work, again, should be managed through outside counsel in order to protect privilege in the event of a future investigation. A California federal court recently laid out several best practices for maintaining a privileged data security investigation, starting with retaining and managing all vendors and consultants through outside counsel. See In re Experian Data Breach Litig., 15-01592 (C.D. Cal. May 18, 2017).
Finally, if your organization or industry may be especially susceptible to cyber intrusions, an informal, proactive outreach to the Cyber Division might be in order. Knowing and establishing a rapport with your local agents is a good way to stay ahead of the curve in the event you suffer a security incident.
While nobody ever hopes to deal with law enforcement, it can play an important and irreplaceable role in cyber incident response. If you suffer an incident, remember that you are a crime victim, and just because the crime took place in the digital realm, it’s a crime no different than a stagecoach heist.