Civil practice attorneys are sometimes confronted with a situation in which their clients are victims of a crime. In such situations, there are a number of complex issues to consider when deciding whether to bring the matter to the attention of law enforcement or administrative authorities. In general, the issues include assessing the client’s goals in pursuing a law enforcement approach, determining which of a number of possible law enforcement entities to approach, and how best to craft the “pitch.”
This article focuses on the unique issues that arise in a specific but increasingly common scenario: when your client is the victim of a cybercrime.
Imagine this scenario: your client calls you, his civil attorney, and says, “the company has been hacked—what do we do?” The first step is, of course, to understand what has happened—that is, what your client means by “hacked.” Such “hacking” can take a number of forms. For instance, an outsider has gained entry into a business’ internal data systems (such as emails or financial data); a business is a victim of “ransomware;” a former or rogue employee has stolen computer data from the company; the company is suffering from any of a number of denial-of-service attacks, and so on. Cybercrimes take many forms, and though the general theme is that the victim’s digital assets have been compromised or stolen, it is important to confirm the nature of the attack that has occurred.
Having identified the nature of the crime, the question then must turn to a response. As a starting point, there are four key distinctions between the general client/victim case and the special case of a cybercrime victim. First, unlike most typical crimes, cybercrime is often both immediate and ongoing—in other words, the client’s digital property may be in continuing and immediate danger. Second, unlike most other crimes (where there is no duty to report being a victim), many cybercrimes (and the concomitant data breach) are the subject of an increasing body of federal and state self-reporting requirements; the client may not have a choice and may need to report. These reporting requirements may involve both law enforcement and consumer protection agencies. Third, the time frame for action and reaction is often much shorter than in non-cyber situations—gathering of information and preservation of evidence may require action in days, maybe even hours. As a result, time is often of the essence. Fourth, and finally, even the most tech-savvy client and attorney will likely need professional technical assistance to understand and respond to the cybercrime, necessitating a ready stable of resources available to assist in response to the cybercrime.
Taking into account these unique factors, there are a number of considerations every civil attorney must be mindful of when counseling a client who has suffered a cyber-breach.
To Report, Pitch or Not to Pitch?
The first thing every savvy civil attorney confronted with a client’s breach must research is whether the jurisdiction of the breach requires mandatory disclosure to law enforcement or administrative authorities. Even if your jurisdiction does not require disclosure of a crime, you may be required to report a cyber-attack if the breach affects personal identifying, health or financial information. Assuming that the cyber-attack does not affect personally identifying, health or financial information, the next crucial inquiry is to weigh the benefits and pitfalls of involving law enforcement.
The benefits to notifying and involving law enforcement are at once obvious and more nuanced. An immediate benefit of involving law enforcement is the appearance of transparency and the related public goodwill. Another obvious benefit is the specialized expertise and skillset that law enforcement can bring. For instance, the detectives and investigators who deal with cybercrimes are often extremely sophisticated and knowledgeable. Significant federal and state resources are expended in training and updating the detectives in the areas of cyber-vulnerabilities and prevention. Furthermore, law enforcement agencies possess powerful tools to combat and investigate cyber-attacks that civilians simply do not have. For instance, they are able to serve subpoenas and preservation orders to financial institutions and tech giants, who are often reticent to disclose information outside the direction of the law. Law enforcement can also obtain and execute search warrants, and can compel testimony through the grand jury process. Less formally, a gun and badge have a different effect on witnesses than an attorney or private investigator.
More subtly, in the event that your client did suffer a cyber-attack where personal identifying, health or financial information was comprised, you may be able to delay the mandatory disclosure to the individuals affected by the attack by involving law enforcement. This will allow you and your client to collect information, diagnosis the problem, formulate a response strategy, and engage other third parties on your behalf (such as forensic researchers or your cyber-insurers), while ensuring that additional data is not compromised.
Along with the benefits, the civil attorney must consider the downside to involving law enforcement. A tremendous consideration is the loss of control once the case is reported to investigators. That is, a law enforcement investigation may supersede any civil efforts your client may want to pursue. For example, law enforcement may require your client to allow the continued use of its stolen intellectual property in order to compile the evidence necessary to bring charges against a thief. The loss of control can also be inward facing, as your client should be counseled on and be willing to forego control, at times, of even their own internal investigation, as the law enforcement investigation may take priority and they may be asked not to disturb the “cyber evidence.”
Alternatively, handing a case over to law enforcement carries the risk that your client’s case is not investigated at all. It may be that the cybercrime is of a “smaller” scale, the attack is of “low” severity, or there is a backlog of cases on the law enforcement agent’s desk. As a result, your client’s case may not get the attention it rightfully deserves.
Your client must also be counseled on the inevitable financial implications of involving law enforcement. Subpoenas and responses thereto may require substantial expense in the form of diversion of personnel time, lost business, and diversion of resources. This may include purchasing additional computer equipment to replace equipment seized by law enforcement diversion of employee time for interviews and preparation for grand jury and trial, attorney fees, and even the cost of the pitch to law enforcement itself.
Your client’s personal stake when involving law enforcement must also be considered. Will anything embarrassing or unsavory be brought to light as law enforcement is combing through company and personnel information on corporate computers? Is there any information your client would not want law enforcement to see regarding their own business? Remind your client that the investigation may shift from the breach to investigating the client for any acts discovered during the investigation.
Finally, consider your client’s own culpability in the cyber-attack through negligence and failure to abide by existing laws and regulations to safeguard data and information. Was your client negligent in failing to learn and apply applicable laws? Did they become aware of vulnerabilities but fail to act? Did the client abide by all the disclosure requirements? This is relevant to consider when deciding whether to make the pitch.
Ultimately, before you pitch to law enforcement, be sure to manage your client’s expectations. Involving law enforcement does not necessarily guarantee a conviction, restitution, or justice, and it will certainly involve a commitment of finances and time.
Where to Make the Pitch
Once you have decided to involve law enforcement, the next pivotal decision is which agency and jurisdiction should be involved. This can be a calculated decision and requires foresight and research.
Think about the sophistication of the agency or office where you want to pitch, along with whether you want the case to be handled by federal or state authorities and court. Generally, federal authorities have specialized units that handle cyber-attacks and the federal courts will have more regimented prosecution schedules. Depending on the jurisdiction, however, state agencies and prosecutors, including the state’s attorney general’s offices, are equally adept at handling cyber-attacks. Finally, consider the local prosecutors’ offices, and inquire whether they have a skilled cybercrimes unit. The New York County District Attorney’s Office, for instance, is skilled at handling cybercrime and have specialized units that can devote skill and attention to cases.
Other logistical concerns include researching the monetary thresholds that certain law enforcement agencies require you to meet before investigating a crime. Skim recent press releases from that office to learn about recent arrests and prosecutions. It is also important to consider whether the politics of that office and the agenda of the lead prosecutor are in line with your client’s goals. Do not be shy to engage your network—your or your firm’s prior relationships with the prosecuting office may be helpful to ensure that your client’s case will reach the right people.
Having now counseled your client on the pros and cons of engaging law enforcement, and thought through the appropriate agency to bring your case, the next question becomes, “How do you increase your likelihood that the agency will agree to investigate your case?” For the experienced attorney, it goes without saying that preparation is key. Law enforcement officials are frequently approached with many leads, often not worthy of prosecution. It would best serve your client’s interest, once you decide you want law enforcement involved, to present your case in a clear, organized, and concise manner. Binders and reports with exhibits of evidence will only help. Do offer to provide as much assistance as needed, but understand that the law enforcement investigation will be an investigation apart from your representation of the client.
Your role is to be mindful of optics and to overcome the presumption innate in each agent’s mind that your client is suspicious. Share as much as you need to and be transparent; however, keep potential legal implications for unsolicited information in mind. Disclose only what you need to for the full investigation of the crime.
Anticipate the investigation to demonstrate your willingness to assist. If appropriate in your case, discuss the protective orders your client may require. If necessary, ask law enforcement for a grand jury subpoena to protect your client from disclosures that could give rise to civil liability. Finally, recognize limitations of law enforcement and approach the meeting with an open mind. If you are reporting a crime, realize that law enforcement has limited resources and may decline to investigate or prosecute your case.
The Follow Up
Congratulations! Your pitch was effective and the agency agreed to investigate your client’s case. But that was weeks or even months ago and you have not heard back.
Remind yourself, and counsel your eager client, that patience is key with cyber investigations. These complicated efforts require a methodical investigatory approach. For example, law enforcement will serve subpoenas. Then, additional subpoenas may be served as a result of returns, as new channels of cyber networks are investigated.
If your client is eager to have their hardware and phones returned, they may be in for a shock. You should advise your client that equipment will ordinarily not be returned for at least a year and even longer if there is a trial. For example, if phones and hard drives are being imaged by an investigator, there will likely be a backlog in the forensic labs, with priority depending on upcoming court dates
As appropriate, follow up on the status of investigation and offer to assist. Often, caseloads are heavy and the case agent or prosecutor will appreciate your input and investigation. Offer to update them as frequently as they want, but consider that they may not want to work with you and may want to steer the investigation on their own. Be willing to work with them, but do not demand results by a certain time frame. Such demands will only be to your client’s detriment.
Keep law enforcement informed of media interest, as sensitive information may inadvertently be leaked that can affect both the criminal investigation and your client’s reputation. Review any media appearances or public statements with law enforcement to ensure that the investigation is not compromised. This meticulous consideration is of particular importance when the target may be unaware they are being investigated. Should the target learn of the investigation from the media, they may wipe valuable information and destroy physical hardware. It is crucial to ensure law enforcement that the pledge for confidentiality is a two-way street; that your client values their obligation to safeguard protected information to support the investigation and that law enforcement should ensure confidential and sensitive information is protected.
Ideally, this article will have provided you with the considerations needed when approaching law enforcement to pitch your client’s case. As always, regardless of why you are involving law enforcement, always make sure you are fully aware of the scope of the breach and are continuously advising your client of their responsibility to safeguard information. And remember, it is not a question of if your client will be breached. The question is when. As counsel, it is your responsibility to be prepared when that phone call comes.
Steven A. Cash is counsel at Day Pitney. Naju R. Lathia is an associate at the firm.