In the wake of a data breach, one of the key questions an organization will face is whether to inform law enforcement of the incident. The decision could have significant legal and business implications for the organization. The right answer will depend on the facts and circumstances—of the incident as well as the business and regulatory environment—and should involve consultation with counsel, outside experts, and key stakeholders across the company.
Of course, there may be legal obligations requiring an organization to report certain types of security incidents to the government. Where and when those obligations require such disclosures are beyond the scope of this post; we focus here only on the potential benefits and risks of making a voluntary disclosure to U.S. law enforcement.
A decade ago, the prospect of coordinating with the Federal Bureau of Investigation (FBI), U.S. Secret Service, or other law enforcement agencies regarding the response to a cyber incident would have been an entirely foreign concept. But, as law enforcement agencies have grown their cyber investigative footprint, they’ve recognized that attributing cyber attacks and catching cyber criminals often requires partnering with private sector victims whose networks may contain critical evidence. Agencies like the FBI and Secret Service have also adopted as part of their mission a focus on protecting national assets, including corporate trade secrets, and have devoted significant resources to working with the private sector to protect the nation’s crown jewels from economic espionage and other cyber threats.
The FBI, for example, has gone to great lengths to encourage victim reporting of cyber incidents, and FBI Director Christopher Wray publicly committed to “treat victim companies as victims” and emphasized that the FBI’s focus will be on “doing everything we can to help you,” including sharing indicators of compromise, tactics cyber criminals are using, and strategic threat information.
But just because some law enforcement agencies encourage this coordination does not mean that your organization should reflexively take law enforcement up on the offer.
Like all complex legal questions, the decision whether to coordinate with a law enforcement agency on your organization’s response to a data security incident brings with it a number of potential benefits that must be balanced against potential risks. As is often the case, these risks and benefits must be worked through on a case-by-case basis. There is no shortcut for determining which risks or benefits are most pertinent—or potent—in any given situation.
With that being said, here are a few key considerations for whether to coordinate an incident investigation and response with law enforcement:
It is not uncommon for a law enforcement agency to have been tracking a cyber threat for some time and to have developed significant information about the activities and tactics of specific hacking groups. By coordinating with law enforcement, an organization may receive valuable non-public information that could help it identify the vulnerabilities exploited in a breach, the potential intent behind the incident, and the source of the attack. Such information may help with the organization’s incident response and long-term remediation efforts.
Law enforcement also has access to investigative tools and other processes that are not available to the private sector that, in some cases, enable law enforcement to undo some of the harm caused by an incident. For example, law enforcement may be able to seize and recover lost data, provide tools to decrypt data infected with ransomware, or work with banks to interrupt a fraudulent transaction.
Particularly if a breach becomes public or involves customer information, the organization will face questions about the steps it has taken to respond and whether it has done enough to remediate. Being able to say that the organization notified and is working with law enforcement will strengthen its message to stakeholders that it has done all that it can to respond.
Obviously, law enforcement agencies can only investigate data breaches that they know about. An agency may decide to open an investigation into a breach after learning about it as a result of the affected organization’s outreach. If the agency chooses to do so, the scope and direction of the investigation will be outside the organization’s control.
Law enforcement agencies may seek additional information from cyber incident victims to further their investigations. Although many law enforcement agencies have realistic expectations and understand that responding to an incident takes significant time and resources on the part of an organization, law enforcement may make requests that take time to respond to and divert resources from other remediation activities.
Moreover, during and after an investigation, an agency could take action that is contrary to the affected organization’s legal and business interests, including publicly announcing an investigation or filing criminal charges that identify the organization.
Although many law enforcement agencies will go to great lengths to address victims’ concerns as an investigation develops, the interests of the investigation will usually take precedence in instances where such interests conflict with those of the victim organization.
In certain circumstances, it is possible that a law enforcement agency could share with appropriate regulators information about a breach that it learns through coordination with the affected organization. These regulators include the Federal Trade Commission, the Securities and Exchange Commission, sector-specific regulators, state attorneys general, and, in limited circumstances, foreign regulators.
This information-sharing could take place before an affected organization is prepared to engage with these civil regulators or external stakeholders, including investors, analysts, clients, the media, and the markets, about the breach. After learning about the breach, civil regulators may decide to launch their own inquiries.
More often than not, organizations that weigh the risks and benefits find that working with law enforcement would benefit those organizations and their remediation efforts. But, notifying law enforcement is bell that cannot be un-rung, so the decision to involve law enforcement requires thoughtful consideration of the unique circumstances of a breach and the potential benefits and risks of notification.
In future installments of “Beyond the Breach,” we will address best practices for working with law enforcement and considerations for which law enforcement agency to engage in specific circumstances.