Cyber attacks can result in significant monetary and reputational damage to a wide range of businesses. Recently, the U.S. Department of Justice (DOJ) increased its efforts to engage businesses on cybersecurity issues. Earlier this year, as part of that effort, the department published a new resource for companies victimized by a cyber attack. The guidance, “Best Practices for Victim Response and Reporting of Cyber Incidents,” is targeted at smaller organizations, but it provides beneficial insights for companies of all sizes, including best practices for preparing for, responding to, and recovering from cyber incidents that are applicable to all organizations.1
Preparing for Cyber Attacks
As part of any company’s efforts to prepare for a cyber incident, the guidance stresses the importance of conducting a risk assessment to evaluate a company’s assets and to assess the policies and procedure in place to protect those assets. For example, the guide recommends identifying a company’s “Crown Jewels”—mission critical data and assets—and then implementing security and risk management practices to protect these key assets. The guide also suggests implementing an actionable cyber incident response plan before any incidents occur, as the company may not have the time and resources available following an incident to establish a plan for responding. The DOJ also recommends establishing relationships with relevant third parties and related stakeholders, such as law enforcement officials and forensic and investigative service providers, prior to an incident. The DOJ recommends that this outreach include legal counsel, as cyber attacks can raise a multitude of unique and difficult legal issues
Responding to a Cyber Attack
The DOJ recommends that companies respond to incidents utilizing a four-step response process. First, immediately upon learning of an incident, the guidance recommends that a company conduct an initial assessment of the nature and scope of the cyber incident. According to the guidance, the assessment should be used to address the scale of the incident and the resources available inside the company to deal with the incident. A company should also consider additional assistance it may need from law enforcement and/or legal and forensic service providers. Importantly, the department recommends that companies document as much information as available about an incident, especially in the event that a company suspects that a criminal incident occurred.
Second, the guidance recommends that a company implement measures to minimize continuing damage from a cyber attack, in the event that the attack is ongoing when identified by the company. Mitigation may include efforts as significant as barring all external access to the company’s network and systems in the event of an intrusion or monitoring the illegal activity to gather more information about the attack. The specific recommended actions for this step depend heavily on the type, complexity, and timing of the attack and the assets impacted. The guidance recommends maintaining detailed records of the actions taken (or not taken) for this step, which are also important for potential litigation and criminal investigations.
Third, the guidance recommends that a victim company collect and record information about the attack, including imaging affected computers and devices for future investigative use. This step includes maintaining logs and records about attacks, such as a description of the attack, the people, service providers, and tasks involved in addressing the attack, the data, systems, and assets affected, and any continuing activity of the attack.
The final recommendation is that a company should notify affected stakeholders, including senior management, legal counsel, IT and security personnel, and the public relations department. This recommendation includes notifying law enforcement and the Department of Homeland Security, as appropriate, to obtain assistance in addressing the cyber attack and to share details about the attack to help prevent additional incidents. Depending on the information affected by the attack, data breach notification laws and contractual requirements may require that a company notify affected consumers, vendors, service providers, clients, and/or investors. Companies should carefully consider the legal and business risks associated with these external notifications with appropriate legal counsel.
Recovering from a Cyber Attack
Finally, the DOJ provides brief guidance on recovering from a cyber attack. The guidance recommends against using any of the systems and assets compromised by the attack to communicate about an incident, including the efforts to respond to the incident. Importantly, the guide also recommends against victim companies hacking into or damaging another network or system involved in an attack as a response to an intrusion. The guidance stresses that there may be legal liability for so-called hacking-back efforts and the potential for increasing the damage to the company from the attack if the original attacker retaliates.
While the DOJ’s guidance is directed at small companies, the guidance provides a model for all companies to utilize to evaluate their current data breach and incident response practices. As the guide recommends, companies, especially those with less sophisticated compliance and security programs, should take care to utilize experts whenever possible, as the legal and regulatory landscape for cyber attacks, security incidents, and data breaches is very active and constantly evolving. The recommendations for information sharing are also topics of great concern for law enforcement and government agencies, and companies should carefully consider both the risks and benefits of participating in such programs. The costs of ineffective preparation for and response to a cyber attack can be significant, and the DOJ’s guide provides a strong starting point for addressing these risks.
1 DOJ, “Best Practices for Victim Response and Reporting of Cyber Incidents” (April 2015), http://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf.