Well, it happened. Your organization suffered a significant data breach.
This is a challenging time, even as it is more and more common for entities of all sizes. Fortunately, your organization heeded the many warnings about cybersecurity resilience and was prepared.
Now, informed by your incident response plan, you need to make some decisions in a hurry about how you will be responding to the breach.
A crucial decision point in the immediate aftermath of a breach is whether to reach out to law enforcement for assistance. You’ve weighed the benefits and risks of doing so, and have determined that with this particular breach, contacting law enforcement would be best for your organization under the circumstances.
But how do you determine which law enforcement agency to contact?
For regulated entities, you will want to consider notifying your regulator simultaneously with law enforcement and will need to take into account any disclosure obligations you may have as a regulated entity. Depending on your organization’s industry or line of business, and the kind of data that was breached (e.g., information protected by HIPAA), your organization may need to notify multiple regulatory agencies.
When determining which law enforcement agency to contact about a data breach, it helps to start with a clear understanding of the goal and benefits of doing so. Contacting law enforcement and making them aware of the situation contributes to a broader effort to hold bad actors in cyberspace accountable and to detect and disrupt threats.
As we noted previously, one of the clear benefits of contacting law enforcement is the potential opportunity to learn more about the incident and the attacker, which may inform your response and remediation efforts. Depending on the nature of the incident, law enforcement involvement may be critical in helping make time-sensitive decisions about how to respond to what may have happened to your information. It may also give you a better understanding of how the incident happened and whether others in your industry have been similarly targeted.
In the case of a ransomware incident, it can be especially important to contact law enforcement before any decision is made to pay a ransom, so you can understand more about the actor you would be paying and be alerted to any risks of doing so.
Beyond these immediate benefits, contacting law enforcement helps to reinforce that your company was a victim of an attack and is committed to doing the right thing and being cooperative with relevant authorities—which can be helpful to you down the road if your immediate response is scrutinized after the incident becomes public.
Once your organization determines what it hopes to gain from contacting law enforcement, it should then target the agency or agencies best positioned to help it achieve those objectives. In many cases—especially for large companies—that is the law enforcement agency that you already know and that knows you. Those relationships can be critical in getting timely and helpful information.
If you do not have those relationships already, the law firm or forensic firm that you engaged in connection with a breach may be able to assist you in identifying the right point of contact.
Here are the U.S. law enforcement agencies that are among the most likely candidates to contact following a breach.
Local FBI Field Office
Your organization’s local Federal Bureau of Investigation field office will frequently be the first option, particularly in the case of a significant criminal or national security matter. The FBI closely tracks the cyber threat landscape, has broad jurisdiction to investigate such matters, and has close ties to other domestic and overseas law enforcement agencies.
Even for a large, multinational organization, its local FBI field office is likely the most appropriate first option. This is particularly the case when the organization concentrates the bulk of its operations in a single or small number of communities. That’s because the organization has likely built a relationship over time with its local field office regarding any number of issues.
For some data breaches, however, FBI headquarters is in a better position to assist than its local counterparts. This is especially true when a data breach could pose national security risks, when there appears to be a particularly sophisticated bad actor such as a nation-state entity, when a local FBI field office has limited experience, or when a large, decentralized organization suffers a breach.
United States Secret Service
The U.S. Secret Service, a part of the Department of Homeland Security (DHS), has jurisdiction to investigate a broad array of financial crimes, including counterfeiting of U.S. currency, and to identify fraud and certain crimes affecting federally insured financial institutions. The Secret Service has also expanded its mandate to fight cybercrime. It has a number of tools at its disposal to help identify and find perpetrators of data breaches and other computer-related crimes, such as its Electronic Crimes Task Forces.
Homeland Security Investigations
In the case of data breaches involving human trafficking, smuggling, or violations of international trade laws, your organization should consider contacting Homeland Security Investigations (HSI), an investigative arm of DHS that has expertise in these areas.
Other Federal Agencies
When a data breach targets a particular business sector, organizations should reach out to federal agencies that have relevant jurisdiction.
For example, in the healthcare sector, the Office of the Inspector General at the U.S. Department of Health & Human Services (HHS) conducts criminal and civil investigations into fraud involving HHS programs.
Local Law Enforcement
Your organization should consider contacting local law enforcement—particularly when a data breach has a physical intrusion or appears to be connected to local criminal activity such as prostitution or child abuse. In these and similar circumstances, a local law enforcement agency may be more likely to initiate a swift investigative action than one of its federal counterparts.
While U.S. law enforcement agencies are the subject of this post, if your organization is a multinational organization, you and your colleagues need to be thinking about whether and how to involve non-U.S. law enforcement agencies and data protection authorities in light of the European Union’s General Data Protection Regulation (GDPR).
When your organization decides to contact law enforcement in the wake of a data breach, the decision of which particular agencies to contact will be driven by what it hopes to gain from the outreach.
More often than not, your organization’s local FBI field office will be the appropriate first option for coordination. However, depending on your organization’s objectives, and the nature of the breach your organization is dealing with, it may benefit from doing so with other agencies.
This article in our “Beyond the Breach” series was authored by David A. Newman, a partner in Morrison & Foerster’s Privacy + Data Security Group.