On Wednesday, April 29, 2015, the Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit issued new, detailed guidance on data breach incident response best practices. The document was announced at an invitation-only round table hosted by DOJ and provides guidance on what DOJ regards as “best practices for victims and potential victims to address the risk of data breaches, before, during and after cyber-attacks and intrusions.” The document was prepared with input from federal prosecutors as well as private sector companies that experienced cybersecurity incidents.
The guidance is split into four primary sections: (1) Steps to Take Before a Cyber Intrusion or Attack Occurs; (2) Responding to a Computer Intrusion: Executing Your Incident Response Plan; (3) What Not to Do Following a Cyber Incident; and (4) After a Computer Incident. In addition, the document contains a “cyber incident preparedness checklist” that is also split into before, during, and after a cyber-attack or intrusion.
Each section has several subsections containing more detailed guidance. For instance, prior to an incident, DOJ recommends that companies perform a risk assessment to identify critical services, assets, and data in order to prioritize their protection efforts. DOJ points to the NIST Cybersecurity Framework as “excellent guidance on risk management planning and policies” and states that it “merits consideration.” DOJ also recommends that companies have an actionable response plan in place prior to an incident; provides minimum criteria for such plans; and emphasizes that employees responsible for executing the plan must have access to and be familiar with it via training and exercises. Other recommendations for “before an incident” include having appropriate technology and services in place; having appropriate authorization in place to permit network monitoring; ensuring that legal counsel is familiar with technology and cyber incident management; ensuring that organizational policies align with incident response plans; engaging with law enforcement prior to a security incident; and establishing relationships with information sharing organizations.
The guidance also emphasizes that companies should not “hack back” against network intruders, as this type of retaliation can violate U.S. laws such as the Computer Fraud and Abuse Act, as well as international laws. The risk of breaking the law by hacking back is exacerbated by the fact that many attacks are launched from machines controlled by bad actors that they do not actually own. Indeed, citing a frequent lack of familiarity with the laws associated with hacking back on the part of in-house counsel, Assistant Attorney General Leslie R. Caldwell noted at the roundtable that DOJ had scheduled “an initial discussion with in-house attorneys who work in a vital sector of our critical infrastructure” already to “help them better prepare” on this topic.
In announcing the new document, Assistant Attorney General Caldwell noted that it was part of the Cybersecurity Unit’s ongoing mission to “actively engag[e] with the private sector and the public to address legal challenges related to cybersecurity.” She also pointed to the need for a “strong partnership with you in the private sector” in order to more effectively fight cybercrime. Throughout the roundtable discussion, law enforcement officials also repeatedly emphasized their desire to cooperate with and receive cooperation from the private sector, as well as their intention to treat companies that experience a cyber intrusion as victims rather than subjects or targets of a criminal investigation.
Assistant Attorney General Caldwell also noted that the document would be updated over time and that CCIPS would continue to issue legal guidance to the private sector.