The Benefits and Risks of Notifying Law Enforcement

In the wake of a data security incident, one of the key questions an organization will face at an early stage is whether to inform law enforcement. The decision could have significant legal and business implications for the organization. The right answer will depend on the facts and circumstances of the incident as well as the business and regulatory environment, and should involve consultation with counsel, outside experts, and key stakeholders across the company.

Of course, there may be legal obligations requiring an organization to report certain types of security incidents to the government. Where and when those obligations require such disclosures are beyond the scope of this post; we focus here only on the potential benefits and risks of making a voluntary disclosure to U.S. law enforcement in the absence of any legal obligation.

In recent years, coordinating with the Federal Bureau of Investigation (FBI), U.S. Secret Service, or other law enforcement agencies has become increasingly common for organizations as they handle security incidents. This shift has occurred as U.S. law enforcement agencies have grown their cyber investigative footprint, maximized their use of legal authorities, increased coordination with international agencies, and improved their private sector outreach. Law enforcement has recognized that attributing cyber attacks and catching cyber criminals often requires partnering with private sector victims whose networks may contain critical evidence.

Agencies like the FBI and Secret Service have also adopted as part of their mission a focus on protecting national assets, including corporate trade secrets, and have devoted significant resources to working with the private sector to protect the nation’s crown jewels from economic espionage and other cyber threats.

In the last decade, the Department of Justice and FBI have dedicated significant resources to improving private sector coordination and sought to demonstrate that they will treat victims as victims. But just because some law enforcement agencies encourage this coordination does not mean that your organization should reflexively take law enforcement up on the offer.

Like all complex legal questions, the decision whether to coordinate with a law enforcement agency on your organization’s response to a data security incident brings with it a number of potential benefits that must be balanced against potential risks. These risks and benefits must be worked through on a case-by-case basis. There is no shortcut for determining which risks or benefits are most pertinent—or potent—in any given situation.

Here are a few key considerations to take into account in deciding whether to coordinate an incident investigation and response with law enforcement.

By cooperating with law enforcement, an organization may learn valuable information about the attack and, in certain cases, undo some of the harm

It is not uncommon for a law enforcement agency to have been tracking a cyber threat for some time and to have developed significant information about the activities and tactics of specific criminal and national security actors. By coordinating with law enforcement, an organization may receive valuable, non-public threat information that could help it identify the vulnerabilities exploited, the potential intent behind the incident, the source of the attack, and intelligence related to the group responsible that may inform company decisions (e.g., whether to engage with a threat actor in response to an extortion attempt). Such information may help with the organization’s incident response and long-term remediation efforts.

If notified by a company, law enforcement may be able to help a company recoup its losses. In recent years, law enforcement has developed capabilities to recover payments by:

• Tracing bitcoin and seizing bitcoin assets in extortion payments,
• Leveraging relationships with financial institutions to claw back fraudulent payments with the assistance of major financial institutions, and
• Recouping stolen assets through civil asset forfeiture actions.

Coordination with law enforcement can help an organization bolster the narrative it provides to its stakeholders, including customers, regulators, and the public

Particularly if an incident becomes public or involves customer information, the organization will face questions about the steps that it has taken to respond and whether it has done enough to remediate. Being able to say that the organization notified and is working with law enforcement will strengthen its message to stakeholders that it has done all that it can to respond.

Coordination may also bolster an organization’s standing with its regulators. Both the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) have indicated that they consider coordination with law enforcement to be a positive factor when considering whether to take action against an organization. Similarly, coordination with law enforcement may be viewed favorably by the Treasury Department when considering penalties for sanctions violations associated with extortion payments.

Coordination could result in a law enforcement investigation that the organization is compelled to cooperate with

Obviously, law enforcement agencies can only investigate security incidents or data breaches that they are aware of. An agency may decide to open an investigation into an incident after learning about it as a result of the affected organization’s outreach. If the agency chooses to do so, the scope and direction of the investigation will be outside the organization’s control. Of course, there is always a risk that law enforcement will learn of the incident independently, and the organization may be in a worse position than if it had voluntarily disclosed.

To further their investigations, law enforcement agencies may seek additional information from victims. Although many law enforcement agencies have realistic expectations and understand that responding to an incident takes significant time and resources on the part of an organization, law enforcement may make requests that take time to respond to and divert resources from other remediation activities.

Moreover, law enforcement may look at the organization’s conduct, and during and after an investigation, an agency could take action that is contrary to the affected organization’s legal and business interests, including publicly announcing an investigation or filing criminal charges that could identify the organization.

Although many law enforcement agencies will go to great lengths to address victims’ concerns as an investigation develops, the interests of the investigation will usually take precedence in instances where such interests conflict with those of the victim organization.

Law enforcement agencies may share news of a breach with regulators

In certain circumstances, it is possible that a law enforcement agency could share with appropriate regulators information about a breach that it learns through coordination with the affected organization. These regulators include the FTC, the SEC, sector-specific regulators, state attorneys general or other state agencies, and, in limited circumstances, foreign regulators.

This information sharing could take place before an affected organization is prepared to engage with these civil regulators or external stakeholders, including investors, analysts, clients, the media, and the markets, about the breach. After learning about the breach, civil regulators may decide to launch their own inquiries and may seek to impose penalties.

A careful weighing of the benefits versus the risks is necessary

More often than not, organizations that weigh the risks and benefits have found that working with law enforcement benefits those organizations and their remediation efforts. But notifying law enforcement is a bell that cannot be unrung, so the decision to involve law enforcement requires thoughtful consideration of the unique circumstances of a breach and the potential benefits and risks of notification.