In April the Justice Department’s Computer Crime and Intellectual Property Section issued its Best Practices for Victim Response and Reporting of Cyber Incidents. It is an excellent guide for a business organization to respond to cyber attacks and, one hopes, move forward with its business intact. The guide outlines what to do before, during, and after a data breach, and is quite detailed. It includes specific steps to take regarding:
- Identifying the business’s most critical information assets;
- Having a plan in place before an intrusion occurs;
- Efficiently assessing the damage from an attack;
- Minimizing that damage;
- Collecting and assessing information from the attack;
- Notifying the proper authorities and personnel; and
- Avoiding further damage after an incident has occurred, among many, many other things.
Any organization should incorporate it into its own plans for stopping the figurative hemorrhage from a cyber attack and getting back to business as soon as possible. I have three main thoughts about the guidance. First, it repeatedly refers to organizations that are the victims of cyber attacks as “victim organizations.” I don’t mean that sentence to be as obtuse (or obnoxious) as it might sound. But it’s helpful to know that federal prosecutors will treat business that are attacked in this way as the victims and not the criminals. With a view toward maintaining that perspective, plan ahead. The guidance says early on: “Having well-established plans and procedures in place for managing and responding to a cyber intrusion or attack is a critical first step toward preparing an organization to weather a cyber incident. Such pre-planning can help victim organizations limit damage to their computer networks, minimize work stoppages, and maximize the ability of law enforcement to locate and apprehend perpetrators.” If you do that pre-planning, you will be much more likely to maintain that “victim” posture in DOJ’s eyes, and look less like a negligent custodian of your customers’ data. Second, the Justice Department really wants you to let it and the FBI know about cyber attacks when they happen. The guidance provides extensive assurances that the FBI and the U.S. Secret Service will try not to wreck businesses in the process of investigating attacks against those businesses. “The FBI and U.S. Secret Service place a priority on conducting cyber investigations that cause as little disruption as possible to a victim organization’s normal operations and recognize the need to work cooperatively and discreetly with victim companies. They will use investigative measures that avoid computer downtime or displacement of a company's employees.” They even want organizations to “establish a relationship with their local federal law enforcement offices long before they suffer a cyber incident.” And the Department of Homeland Security might be able to provide “technical assistance capable of mitigating an ongoing cyber incident.” Finally, if you are attacked, DOJ urges you to be careful about seeking justice on your own. “A victimized organization should not attempt to access, damage, or impair another system that may appear to be involved in the intrusion or attack. Regardless of motive, doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability.” Don’t consider this an idle warning. The FBI and Secret Service would much rather be in the position of investigating bad actors, without businesses seeking vigilante justice. The Best Practices is a good document. Bake it into your incident response program. It could go a long way toward minimizing damage and maintaining good relationships with federal law enforcement if a cyber attack goes from bad to worse.