Data Security Law Blog

Part 1: DOJ Weighs In on Cyber Investigations & Breach Preparedness

The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.

Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.

Pre-Planning for a Cyber Attack

The Best Practices guidance offers pre-planning tips to help organizations limit damage from cyber-attacks, minimize work stoppages, expedite mitigation efforts, and improve law enforcement’s ability to identify hackers. 

  • Educate Senior Management. Although organizations are more aware than ever concerning the growing threat of cyber-attacks, senior management, boards, and other governing bodies — the private sector leadership teams responsible for making decisions and setting priorities — DOJ stressed their need to be keenly aware of the impact of cyber-attacks. The Best Practices guidance suggests holding regular briefings about existing and emerging cyber threats to educate senior management and keep them informed on a going forward basis.
  • Identify “Crown Jewels”. DOJ also urges organizations to prioritize their cybersecurity efforts by identifying “crown jewels” — the data, assets, or services that warrant the greatest degree of protection. As explained in the guidance, some organizations may depend on email to communicate with customers, while other organizations may have valuable intellectual property or sensitive patient data. After determining which assets merit the highest degree of protection, DOJ advises that organizations then assess (or reassess) how to best manage the risk associated with protection of these core asset classes.
  • Develop a Cyber Incident Response Plan. By now, it should come as no surprise that maintaining a formal, up-to-date cyber incident response plan is a must. In the event of a cyber-attack, the incident response plan should direct management and other personnel to focus on containment, mitigation, and information-gathering. The plan should also be “actionable” — meaning, as DOJ advises, the plan should provide specific, concrete procedures, include timelines for completion of critical tasks, and identify decision makers. Importantly, the plan should be available in both electronic and hard copy format (in the event an organization’s network is rendered inaccessible during an attack).  Organizations should conduct exercises to help familiarize staff with response plans and determine whether there are any shortcomings that need to be addressed, which become more apparent only after a test run, or more commonly called a “table-top exercise.”
  • Build a Relationship with Law Enforcement. Having a private sector – federal law enforcement relationship in place before an incident occurs can prove critical in the hours and days immediately following a cyber-attack. DOJ stresses that building a relationship with federal law enforcement before an incident occurs will help ease any subsequent contact when law enforcement assistance is necessary. Federal law enforcement, such as the FBI and U.S. Secret Service, are also potential sources for cybersecurity information. In short, it’s best in many instances to build that important communication bridge with law enforcement during the relative calm of every day business and not in the midst of a cyber-attack or its immediate aftermath.
  • Maintain Cybersecurity Procedures. In addition to developing an incident response plan, DOJ warns that organizations should also use other commonsense cybersecurity practices. These include controls that limit access to data (i.e. “crown jewels”), password management programs, multi-factor authentication, firewall protection, and server logs to track network activity.
  • Retain Cybersecurity Technology and Services. In order to both defend against and respond to an attack, organizations must have the appropriate technology at their disposal and retain necessary services. Such services include incident response firms, government services associated with mitigating and recovering from attacks, and legal counsel.  Indeed, the Best Practices state that it is “beneficial” to consult with legal counsel — both in-house and outside counsel — familiar with relevant cybersecurity laws when preventing and responding to a cyber incident. Counsel should be involved with incident response planning and exercises, as well, for a multitude of reasons including considerations of confidentiality and privilege.

In part 2 of our series, we’ll look at the basics of data breach incident response and a list of the DOJ’s “don’ts” when organizations are confronted with a hacker.  Stay tuned.