The Benefits and Risks of Notifying Law Enforcement
The Benefits and Risks of Notifying Law Enforcement
In the wake of a data breach, one of the key questions an organization will face is whether to inform law enforcement of the incident. The decision could have significant legal and business implications for the organization. The right answer will depend on the facts and circumstances—of the incident as well as the business and regulatory environment—and should involve consultation with counsel, outside experts, and key stakeholders across the company.
Of course, there may be legal obligations requiring an organization to report certain types of security incidents to the government. Where and when those obligations require such disclosures are beyond the scope of this post; we focus here only on the potential benefits and risks of making a voluntary disclosure to U.S. law enforcement.
A decade ago, the prospect of coordinating with the Federal Bureau of Investigation (FBI), U.S. Secret Service, or other law enforcement agencies regarding the response to a cyber incident would have been an entirely foreign concept. But, as law enforcement agencies have grown their cyber investigative footprint, they’ve recognized that attributing cyberattacks and catching cyber criminals often requires partnering with private sector victims whose networks may contain critical evidence. Agencies like the FBI and Secret Service have also adopted as part of their mission a focus on protecting national assets, including corporate trade secrets, and have devoted significant resources to working with the private sector to protect the nation’s crown jewels from economic espionage and other cyber threats.
The Department of Justice has underscored the importance of private sector cooperation. Deputy Attorney General Lisa Monaco said “one of the most important steps in disrupting malicious cyber activity is to increase the reporting of cybercrimes by private sector victims,” and pledged to companies who cooperate with law enforcement that the Department will “stand with them in the aftermath of the incident.” The FBI has also gone to great lengths to encourage victim reporting of cyber incidents; FBI Director Christopher Wray publicly committed to “treat victim companies as victims” and emphasized that the FBI’s focus will be on “doing everything we can to help you,” including sharing indicators of compromise, tactics cyber criminals are using, and strategic threat information.
But just because some law enforcement agencies encourage this coordination does not mean that your organization should reflexively take law enforcement up on the offer.
Like all complex legal questions, the decision whether to coordinate with a law enforcement agency on your organization’s response to a data security incident brings with it a number of potential benefits that must be balanced against potential risks. As is often the case, these risks and benefits must be worked through on a case-by-case basis. There is no shortcut for determining which risks or benefits are most pertinent—or potent—in any given situation.
With that being said, here are a few key considerations for whether to coordinate an incident investigation and response with law enforcement:
It is not uncommon for a law enforcement agency to have been tracking a cyber threat for some time and to have developed significant information about the activities and tactics of specific hacking groups. For example, the FBI is investigating over 100 different ransomware variants. By coordinating with law enforcement, an organization may receive valuable, non-public threat information that could help it identify the vulnerabilities exploited in a breach, the potential intent behind the incident, and the source of the attack. Such information may help with the organization’s incident response and long-term remediation efforts.
If notified by a company, law enforcement may be able to undo some of the harm. In recent years, the Department of Justice has had considerable success recovering payments from ransomware attacks:
Recovering payments in the wake of a ransomware attack is only one way law enforcement may be able to undo harm. In the case of fraudulent transfers or transactions, if notified quickly, law enforcement may be able to leverage relationships with financial institutions to interdict the transfer. Law enforcement may also be able to seize and recover last data or provide tools to decrypt data infected with ransomware.
Particularly if a breach becomes public or involves customer information, the organization will face questions about the steps it has taken to respond and whether it has done enough to remediate. Being able to say that the organization notified and is working with law enforcement will strengthen its message to stakeholders that it has done all that it can to respond.
As the U.S. government has undertaken a whole-of-government approach to counter malicious cyber actors, it has made a point to state that coordination with law enforcement is viewed as a “significant mitigating factor” when the Treasury Department is considering penalties for sanctions violations. For example, since ransomware attacks can often be perpetrated by sanctioned entities or threat actors who use sanctioned cryptocurrency services, engaging early with law enforcement can provide an organization insight into whether there is a sanctions risk in paying a ransom.
Obviously, law enforcement agencies can only investigate data breaches that they know about. An agency may decide to open an investigation into a breach after learning about it as a result of the affected organization’s outreach. If the agency chooses to do so, the scope and direction of the investigation will be outside the organization’s control.
To further their investigations, law enforcement agencies may seek additional information from cyber incident victims. Although many law enforcement agencies have realistic expectations and understand that responding to an incident takes significant time and resources on the part of an organization, law enforcement may make requests that take time to respond to and divert resources from other remediation activities.
Moreover, during and after an investigation, an agency could take action that is contrary to the affected organization’s legal and business interests, including publicly announcing an investigation or filing criminal charges that identify the organization.
Although many law enforcement agencies will go to great lengths to address victims’ concerns as an investigation develops, the interests of the investigation will usually take precedence in instances where such interests conflict with those of the victim organization.
In certain circumstances, due to coordination and information sharing between agencies, it is possible that information shared with a law enforcement agency could be obtained by a regulator. These regulators include the Federal Trade Commission, the Securities and Exchange Commission, sector-specific regulators, state attorneys general, and, in limited circumstances, foreign regulators. This information-sharing could take place before an affected organization is prepared to engage with these civil regulators or external stakeholders about the breach, and without notice to the entity that provided the information. After learning about the breach, regulators may decide to launch their own inquiries.
Different law enforcement agencies have different policies on whether and under what circumstances to share information related to a cyber incident with regulators. Increasingly law enforcement agencies recognize that the possibility of information sharing with regulators is a topic of significant concern for victims of cyber incidents and have sought to provide assurances that information shared with them by a victim generally will not be shared with regulators. For example, FBI Director Wray noted in public remarks that “we’re not asking you for information so we can turn around and share it with regulators looking into the adequacy of your cybersecurity after a breach,” and FBI Assistant Director Bryan Vorndran, who leads FBI’s Cyber Division, commented that “the regulatory relationship is between the regulator and the victim. The FBI is not a proxy for that, and we will never allow ourselves to be used as proxy.” These guarantees are not ironclad even in the case of FBI, and it is important to understand how the information a company shares will be used anytime it engages with law enforcement.
More often than not, organizations that weigh the risks and benefits find that working with law enforcement would benefit those organizations and their remediation efforts. But notifying law enforcement is bell that cannot be un-rung, so the decision to involve law enforcement requires thoughtful consideration of the unique circumstances of a breach and the potential benefits and risks of notification.
Law clerk Damian Mencini contributed to the drafting of this alert.