On September 27, 2018, the Department of Justice Computer Crime and Intellectual Property (CCIPS) Cybersecurity Unit released Version 2.0 of its “Best Practices for Victim Response and Reporting of Cyber Incidents.” Originally issued in 2015, the updated guidance seeks to help organizations better equip themselves to be able to respond effectively and lawfully to cyber incidents. The updated version distills insights from private and public sector experts, incorporating new incident response considerations in light of technical and legal developments in the past three years. While the guidance is designed to mostly be applicable to small- and medium-sized businesses, it may be useful to larger organizations as well.
Similar to Version 1.0 (see our previous analysis here), the updated guidance is divided into several parts, advising companies on steps to take before, during, and after a cybersecurity incident. The first part, “Steps to Take Before a Cyber Intrusion or Attack Occurs,” highlights the importance of proper preparation, including educating senior management about cyber threats, deciding how to prioritize resources, engaging with law enforcement, and most importantly, having a well-established and actionable incident response plan in place before a security incident. Another section advises organizations on how to respond to a cyber incident, incorporating suggestions for how to make an initial assessment, implement measures to minimize continuing damage, record relevant information, and notify the proper parties. Finally, the document features a “Cyber Incident Preparedness Checklist,” designed to help organizations and their counsel put the Best Practices into action.
While much of the advice featured in Version 2.0 appeared in the previous version of the document, the updated guidance includes additional suggestions that reflect the changing technological and regulatory landscape. For example, in terms of new cyber threats, the guidance incorporates advice on how to prepare for and respond to a ransomware attack, emphasizing that different types of attacks require different types of defenses. The guidance also contains updates in response to the changing ways in which organizations store their data, such as cloud computing. Other updates include a section on information sharing pursuant to the Cybersecurity Information Sharing Act of 2015, an increased emphasis on the importance of educating senior management about cyber threats, and recommendations for working effectively with both cyber incident response firms and law enforcement.
Announced during a roundtable discussion with leading cyber practitioners on the challenges of handling data breach investigations, the guidance is part of an ongoing effort by the Cybersecurity Unit to “help elevate cybersecurity efforts and build better channels of communication between law enforcement and industry.” While the document is not intended to have any regulatory effect, the guidance is a useful tool for organizations seeking to make sure their data security policies align with today’s best practices.