Cooperating with Federal Law Enforcement Agencies Before and After a Cyberattack Can Help Companies Minimize Harm and Legal Exposure
By Edward J. McAndrew
Many companies that suffer a malicious cyber incident such as a breach hesitate to involve federal law enforcement, fearing an overbearing investigative process, loss of control over the incident response, additional pain or injury caused by law enforcement activities, and public court proceedings. Too often, they instead take minimal steps to such outreach – usually with an eye toward regulatory compliance, rather than helping to pursue cybercriminals and pursuing long-term information security. They then hunker down and hope they don’t experience another attack.
The Consequences of a Bunker Mentality
Not having meaningfully involving law enforcement after an incident has several downsides. Most important, companies often lack the resources and investigative tools to fully understand:
- Why they were targeted, by whom, how the attack was carried out, and what the objectives were.
- Whether the incident has continued past the initial discovery and containment phase.
- What the attackers actually viewed, took, altered, or destroyed in the process, and what other vulnerabilities the attackers may have discovered or exposed.
- Whether the victim’s infrastructure was weaponized against third parties.
- How to prevent this or another type of attack from happening again.
The inability to answer these questions increases the chances that victim organizations will be hit again. And the pain doesn’t stop there. Not reaching out to federal law enforcement agencies, that is, not taking this very reasonable and easy step in response to a malicious cyberattack, can further damage the reputation of a company already tarnished by the initial incident. It often leads to increased legal and regulatory exposure, including regulatory investigations, enforcement actions and private litigation. It also complicates any subsequent defense that the organization should not be held civilly liable or further penalized for being the victim of a crime.
Not engaging law enforcement is also increasingly exposing organizations to potential liability where the organization’s notification to law enforcement could have prevented similar attacks on other organizations that may be digitally “connected” to it. In addition, several federal and state regulators expressly require or encourage victim organizations to contact and cooperate with federal law enforcement in the aftermath of a cyberattack. And doing so is considered favorably in terms of whether the organization has acted reasonably under applicable law.
Take Your Medicine
There’s no doubt that involving federal law enforcement during or after a cyberattack may involve some discomfort. This may include having to share attack data with law enforcement and provide access to networks and impacted devices. It can also include having personnel serve as witnesses in public court proceedings. Such actions may expose sensitive information and vulnerabilities, which regulators and civil litigants may seek to use against the organization.
However, the organizational health benefits of this particular medicine are compelling. Even organizations with first-rate cyber defense teams don’t have access to the larger picture that the federal law enforcement and intelligence agencies can develop to connect the dots. This means that agencies like the FBI can help an organization that is willing to cooperate understand more fully the answers to the investigative questions noted above. Since these questions are now commonly being asked during regulatory investigations and civil litigation in the aftermath of a breach, having law enforcement agencies help in developing the answers can put an organization in a stronger defensive position, and even save the company money by reducing its own investigation and preparation costs.
In appropriate cases, the FBI can deploy a Cyber Action Team to help an organization deal with an ongoing attack. The FBI, DHS and their partners also can share a wealth of important data to prevent future attacks. Law enforcement agencies even lead organizations in certain industries through simulated cyber exercises to improve their ability to detect and respond to cyber incidents. As previously stated, cooperation with the law enforcement community is also considered when potential legal and regulatory penalties are under consideration.
For all the negative coverage of the Yahoo cyberattacks, the company’s response illustrates at least this point. Following the indictment of the Yahoo hackers, the Justice Department publicly applauded Yahoo’s “outstanding” cooperation efforts, which helped lead to the indictment. The SEC subsequently cited this cooperation as one of the reasons for not imposing a more significant penalty on Yahoo for its untimely disclosures relating to the attacks.
Today, smart organizations are benefiting by working with law enforcement as part of a comprehensive approach to cybersecurity and crisis management. Reaching out to law enforcement puts them in a much better position to minimize their regulatory exposure and defend themselves against possible litigation. It can also help them significantly increase their security posture to prevent future attacks – which is a benefit for every information stakeholder, customer and stockholder.
Edward J. McAndrew, Partner & Co-Chair, Privacy & Data Security Group, Ballard Spahr LLP, Faculty Member of the CGOC (Compliance, Governance & Oversight Council)