• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

DOJ Issues Data Breach Guidance

April 29, 2015 By Privacy & Data Security Team

On Wednesday, April 29, 2015, the Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit issued new, detailed guidance on data breach incident response best practices.  The document was announced at an invitation-only round table hosted by DOJ and provides guidance on what DOJ regards as “best practices for victims and potential victims to address the risk of data breaches, before, during and after cyber-attacks and intrusions.”  The document was prepared with input from federal prosecutors as well as private sector companies that experienced cybersecurity incidents.

The guidance is split into four primary sections: (1) Steps to Take Before a Cyber Intrusion or Attack Occurs; (2) Responding to a Computer Intrusion: Executing Your Incident Response Plan; (3) What Not to Do Following a Cyber Incident; and (4) After a Computer Incident.  In addition, the document contains a “cyber incident preparedness checklist” that is also split into before, during, and after a cyber-attack or intrusion.

Each section has several subsections containing more detailed guidance.  For instance, prior to an incident, DOJ recommends that companies perform a risk assessment to identify critical services, assets, and data in order to prioritize their protection efforts.  DOJ points to the NIST Cybersecurity Framework as “excellent guidance on risk management planning and policies” and states that it “merits consideration.”  DOJ also recommends that companies have an actionable response plan in place prior to an incident; provides minimum criteria for such plans; and emphasizes that employees responsible for executing the plan must have access to and be familiar with it via training and exercises.  Other recommendations for “before an incident” include having appropriate technology and services in place; having appropriate authorization in place to permit network monitoring; ensuring that legal counsel is familiar with technology and cyber incident management; ensuring that organizational policies align with incident response plans; engaging with law enforcement prior to a security incident; and establishing relationships with information sharing organizations.

The guidance also emphasizes that companies should not “hack back” against network intruders, as this type of retaliation can violate U.S. laws such as the Computer Fraud and Abuse Act, as well as international laws.  The risk of breaking the law by hacking back is exacerbated by the fact that many attacks are launched from machines controlled by bad actors that they do not actually own.  Indeed, citing a frequent lack of familiarity with the laws associated with hacking back on the part of in-house counsel, Assistant Attorney General Leslie R. Caldwell noted at the roundtable that DOJ had scheduled “an initial discussion with in-house attorneys who work in a vital sector of our critical infrastructure” already to “help them better prepare” on this topic.

In announcing the new document, Assistant Attorney General Caldwell noted that it was part of the Cybersecurity Unit’s ongoing mission to “actively engag[e] with the private sector and the public to address legal challenges related to cybersecurity.”  She also pointed to the need for a “strong partnership with you in the private sector” in order to more effectively fight cybercrime.  Throughout the roundtable discussion, law enforcement officials also repeatedly emphasized their desire to cooperate with and receive cooperation from the private sector, as well as their intention to treat companies that experience a cyber intrusion as victims rather than subjects or targets of a criminal investigation.

Assistant Attorney General Caldwell also noted that the document would be updated over time and that CCIPS would continue to issue legal guidance to the private sector.

Filed Under: Cybercrime, Cybersecurity, Data Breach, Events, Regulation, Workplace Privacy Tagged With: Department of Justice (DOJ), National Institute for Standards and Technology (NIST)

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy