DOJ Revises Guidance on Responding to Cyber Incidents

Recently, the Criminal Division of the Department of Justice (DOJ) convened a cybersecurity roundtable for data breach and cybersecurity experts. At that time, DOJ’s Cybersecurity Unit released revised guidelines for “Best Practices for Victim Response and Reporting of Cyber Incidents,” which it had originally released in April 2015.

The Original “Best Practices” Document

The guidance mainly targets “smaller organizations and their legal counsel,” although DOJ notes that larger organizations may find it useful, because of the insight it provides about DOJ’s approach to cybersecurity issues. The original document addressed steps to prepare for an intrusion or attack, including the need to identify the organization’s “crown jewels” that warrant the most protection, through the adoption of a computer intrusion plan. The plan should feature network monitoring obtained through network user consent. DOJ encouraged organizations to establish relationships with law enforcement, specifically, the FBI’s Infragard Chapters and U.S. Secret Service’s Electronic Crimes Task Forces, and to share information through Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs).

The original guidance also outlined the steps to respond to a computer intrusion, including making an initial assessment, implementing measures to minimize damage, recording and collecting information, and notifying personnel in the organization, law enforcement, the Department of Homeland Security (DHS), and victims.

The Updated “Best Practices” Document

Planning

The guidance has been revised substantially. DOJ observed that although three years have passed since the publication of the original guidance, 77% of respondents in a recent study still lack a formal incident response plan. While the revised guidance adheres to the steps described in the original document, DOJ now stresses the need to involve senior management by conducting regular briefings on threat planning and risk management. The revised guidance also addresses the need to determine the greatest point of vulnerability, which may be in a third-party vendor that has access to the network or vital data.

The guidance augments the minimal requirements that a plan should address to include coordinating with cloud storage and other third-party service providers that host the organization’s data and service, contacting the organization’s incident response firm, and restoring backed-up data.

For these additional technological and service requirements, DOJ observes that each organization will need to prepare differently, and different types of threats require different types of defenses. For example, back-up capability may be useful for a ransomware attack, but may provide only marginal protection against unlawful exfiltration of data.

DOJ also discusses the advent of cloud storage and emphasizes that, while this storage has some benefits, organizations using such services should still determine whether there is adequate security and whether the relevant agreements anticipate the need to provide law enforcement and other third parties access to the organization’s information in the event of an incident.

In addition, the guidance identifies the need for “commonsense cybersecurity practices.” Similar to the FTC’s “Start with Security” guide, DOJ recommends measures such as installing a patch management program, instituting access controls and network segmentation to limit the consequences of a breach, using password management programs and multi-factor authentication, building perimeter defense, such as a firewall, and enabling server logging to help determine the cause and origin of a cyber incident.

Information Sharing

DOJ has updated the document to discuss the Cybersecurity Information Sharing Act of 2015 (CISA), which authorizes an organization to monitor communications and network systems for a cybersecurity purpose, that is, to prevent a cyber incident and to aid response efforts. CISA also authorizes sharing of cyber threat indicators with ISACs and ISAOs, and shields organizations that share information with a certain level of liability protection. (This protection, however, does not appear to be uniform, based on DHS-issued guidance in June 2016, which notes different levels of protection depending on whether this information is shared with DHS or other federal agencies). DOJ also notes that FTC and DOJ’s Antitrust Division stated that antitrust laws should not impede legitimate information sharing.

Incident Response

It is now almost standard practice for organizations to retain an incident response firm to collect information and prepare a forensic report. The DOJ guidance discusses how to incorporate this practice into an effective incident response. Without opining whether a report created under the direction of the organization’s attorneys is attorney-client privileged, DOJ warns that withholding or delaying the sharing of the information in the report “can make criminal investigation more difficult.”

Preemptively addressing companies’ hesitation to share information about their cybersecurity incidents and related vulnerabilities, DOJ attempts to reassure that law enforcement “is focused on collecting information about the perpetrator’s criminal conduct” and that “reporting a cyber incident to the Department or to federal criminal investigators will not lead to regulatory enforcement action by the Department for the incident.” Nevertheless, the “Best Practices” do not discuss what other regulators may do or whether an organization may still have concerns about the impact that release of information—for example, upon the filing of public charges against the attacker or in criminal discovery—could have on the organization’s own civil or regulatory liability.

What Not to Do

Like the original “Best Practices,” the revised document continues to admonish organizations not to take retaliatory action against an attacker. The consequences include possible violation of federal and state law, as well as foreign law. A victim’s self-help may also, in the case of a system being exploited by the attacker, result in the targeting of another “unwitting, innocent victim.”

Nevertheless, although not discussed in the guidance, CISA does recognize certain “defensive measures.” Based on the DHS CISA guidance, these could include programs that identify malicious activity or a signature that can detect certain spear phishing campaigns. CISA, however, does not condone measures that, for example, render unusable or provide unauthorized access to a system not belonging to the organization.

Conclusion

These are only the highlights of the detailed, revised guidance. Perhaps reflecting the increased regulatory and litigation-related scrutiny given to data breach incidents, the document contains a disclaimer that states “failure to take all of the proposed steps or implement all of the measures discussed herein should not be interpreted per se unreasonable or negligent conduct.”

In light of this scrutiny, the guidance also recommends that companies have legal counsel that is conversant with technology and knowledgeable about relevant laws. DOJ advises that “having ready access to advice from lawyers who are well acquainted with cyber incident response can speed up an organization’s decision making and help ensure that a victim organization’s incident response activities remain on firm legal footing.” Such assistance—as well as the attendant benefits of attorney-client privilege—can prevent many headaches down the road.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Steve Bunnell, an O'Melveny partner licensed to practice law in the District of Columbia, Ronald Cheng, an O'Melveny partner licensed to practice law in California and Hong Kong, Randall Edwards, an O'Melveny partner licensed to practice law in California, Scott Pink, an O'Melveny special counsel licensed to practice law in California, Mallory Jensen, an O'Melveny counsel licensed to practice law in California contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2018 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.