Dealing with those Tricky Cybersecurity Issues: What are the risks of reporting a breach to law enforcement, and is it worth it?

Una Dean and Dan Silver were once colleagues at the U.S. Attorney’s Office for the Eastern District of New York. Dean is still an assistant U.S. attorney there, and, as a cyber specialist, oversees many of the cyber investigations and prosecutions. Silver, who was chief of the national security and cybercrime section when he was there, has since moved to Clifford Chance, where he is a partner in the regulatory enforcement and white-collar crime group. They sat down to talk about the challenges that companies face when grappling with data breaches. And they discussed the tricky issue of deciding when (or whether) to notify law enforcement. Their conversation has been edited for length and style.

MCC: How can general counsel and chief legal officers best protect their companies from cyberattacks and breaches?

Silver: There is no one solution, but the best way to protect your company is to be continually involved in reviewing and updating your policies and procedures while keeping abreast of developments in this area. Cyber issues are part of an evolving landscape, so it is critical to construct an adaptive approach. One important aspect that clients sometimes overlook involves simply knowing your data. It's becoming increasingly complicated to understand what kinds of valuable employee, customer and third-party data you are holding and where that data is being housed – whether internally or on third-party systems.

Dean: I agree that there’s no silver bullet. You have to be constantly vigilant about communicating current policies to relevant stakeholders and monitoring compliance. In the past, cyberattacks were handled by IT departments in back rooms, but now companies realize that cybersecurity needs to be addressed at the executive level. Be- cause these issues are more about corporate exposure and risk management, we are seeing more chief information security officer roles being integrated into the C-suite. These people report cyber risks directly to the CEO and on to the board, and this level of communication has now become imperative. One key practical component of a risk-mitigation program is the incident response plan, which will vary from company to company but should include certain basics. As Dan said, the first step is to identify your data, your company's crown jewels. Understand where they are located and how they’re being protected. Make sure that the people drafting your incident response plan are the relevant stakeholders. Do tabletop exercises to prepare people for quick action – because in all likelihood, there will be intrusions. This way, everyone will know exactly what to do and who is in charge.

MCC: Much has been written about the cloud as less expensive and, in many respects, safer from cyberattacks. How can companies maintain compliance in the age of cloud computing?

Silver: From a data privacy perspective, the main issue relates to being aware of where your data resides. For example, a global organization that houses its servers for U.S. employees in Europe may not fully understand the data privacy implications of this practice. Some European countries take the position that servers residing in Europe – even when they contain emails and data from U.S. employees of a U.S.-based entity – are equally subject to EU data privacy regulations as data from European counterparts. These jurisdictional issues quickly become more complex when you’re dealing with cloud-based systems, where simply locating the data can be difficult. So companies face real challenges in grappling with cloud-based systems and figuring out which data privacy rules will apply.

Dean: Adding to the difficulty is the fact that data storage is being outsourced to various vendors. Vendors may not allow you to send in a team to assess their own cybersecurity framework and protocols. But you can draft a contract that builds in your expectations with regard to data access and protection. It’s a very tricky area, and I don’t think anyone has perfected it just yet.

MCC: What's your advice for companies in selecting a vendor?

Silver: Generally speaking, ask about the vendor’s cybersecurity protocols. How will they handle and track your data, and who will have access? Do they use subcontractors and third parties for certain aspects of data processing? Understand their level of sophistication as to rules and regulations that apply in different jurisdictions. Can they easily tell you where your data will go, and can they prevent it from going to jurisdictions you want to avoid? These are just a few of the questions worth asking when choosing a vendor.

MCC: Data security breaches are most often caused by employees or other direct contributors to a company’s operations, such as vendors, contractors, etc. How can companies identify and mitigate these potential risks?

Dean: If you’re talking about insiders, then you need to distinguish between intentional and unintentional actors. In the case of intentional bad actors, companies are turning more and more toward data analytics to monitor behavior on their networks to look out for anomalies. In the case of unintentional actors, that's also a difficult issue. If a phishing email comes into 1,000 employee inboxes, it's likely that someone will click and put your system at risk. That risk is very hard to defeat, but good training can help.

Silver: That's right. You can do some internal auditing and conduct data security exercises. For instance, you can send spam messages to a large number of employees, learn who clicks on them and then discuss the results in a way that will really stick in their minds. I've seen companies do this, and it can be very effective in raising awareness versus a more generalized reminder about not clicking on unfamiliar links.

MCC: What are best practices once the company uncovers a possible attack or, in fact, has been breached?

Silver: A company should make sure that its incident response plan is comprehensive and includes determining what data was compromised, as well as how to remedy the breach. Technically, these are separate and complicated processes, likely requiring the assistance of outside consultants. From a legal standpoint, it's important to understand the notification requirements within each state where you have customers affected by a breach.

Dean: One obvious but often overlooked detail is to be sure that everyone has a paper copy of the plan. Under certain circumstances, such as a Distributed Denial of Service (DDoS) attack, you might have to unplug your systems or they may be unusable, in which case no one will have access to the plan.

MCC: What is the government's appropriate role in this process?

Dean: It's important to know that we don't draft incident response plans, nor do we advise on notifications. My role as a cybercrime prosecutor is to investigate and uncover the bad actors behind an attack. Often that requires a great deal of investigation, as culprits can hide overseas or behind nicknames and anonymized IP addresses. Our job is to figure out who is doing it and where the attack is coming from, and then bring those individuals to justice. In our investigative role, we consider companies that have been breached to be victims, and we work with them just as we would with any other victim, gathering evidence so that we can learn what happened and prosecute those responsible for the attack. From a law enforcement perspective, we do a great deal of outreach and training with folks in the private sector to help them understand that they can – and should – engage with us.

Silver: For my own part, I help clients determine whether and when they should approach law enforcement to report an issue. It can be a tricky assessment and a tough decision, but prosecutors want very much to encourage private industry to come forward, and I think that’s usually the right move. Sometimes, however, a company will do the right thing and be disappointed with the response. For example, I'm aware of a business email compromise case that involved a $1 million loss, but federal law enforcement officials declined to proceed with an investigation because of a lack of resources.

Dean: Disappointing outcomes do happen, but I will say that we’ve come a long way in the past 10 to 15 years. Back then, a company might call the FBI, have its servers imaged and then never hear back. Today, we make every effort to ensure that information flows in both directions, and that victims of cybercrime don't feel worse off for having engaged with us. Companies have real exposure to enforcement actions based on cybersecurity policies and controls, so when a breach occurs, we want to encourage cooperation as a positive factor. We can also be helpful in terms of potentially delaying the disclosure process during an ongoing investigation.

Silver: It's a big dilemma for our clients. On the one hand, agencies like the Department of Homeland Security, the FBI and the DOJ are focused on going after the hackers and trying to encourage companies to come forward and be treated as victims. On the other hand, regulators like the SEC, the FTC and state attorneys general are looking to hold the companies themselves accountable for any purported negligence that caused the breach. Companies can take some comfort in knowing that the DOJ is interested in helping them navigate that dichotomy between the benefits of self-reporting versus the significant potential penalties arising from a data breach.

MCC: If a company brings in law enforcement after an attack, what is the risk of enforcement officials launching an investigation as a result?

Silver: As I mentioned, the FBI and Homeland Security are unlikely to investigate the "victim" and so wouldn't usually call in the SEC or other regulatory bodies. It's more likely that those other agencies would become aware of the matter through media reports, third-party complaints or a direct self-report.

Dean: That's right. We don't refer these investigations to regulatory enforcement agencies. Companies are anxious at the thought of our gathering evidence by "rooting around" in their systems, and their boards take this issue seriously: "You’re letting the FBI just come in and image all our servers?" So we've developed creative ways of working with victims to address this anxiety, such as varying the scope of what we will, and will not, look at in the first instance.

Silver: That’s interesting. Do you even go so far as to have written agreements that address how the information may be used?

Dean: I have done that. It’s not an everyday occurrence, but where there are legitimate sensitivities, we have made such efforts to be mindful.

MCC: What should companies be aware of in terms of the latest cyber threats and developments from the new administration?

Dean: It's safe to say that we face unpredictable times, and cyber issues are right in the center. I advise companies to understand the threat landscape in real time and continuously develop and practice their incident response plans. Ransomware is a big problem these days, and many companies understand the risks. What happens, however, is that while very few will say in advance that they would be willing to pay a ransom, the vast majority will go ahead and pay when they actually become the subject of a ransomware attack. This is a predictable outcome for companies that were unprepared and, for example, did not maintain up-to-date backups. Another interesting facet of ransom paying is the practical issue of getting the bitcoin necessary to pay. Where do you get it, and how do you time the payment? It may take a week to get your hands on the bitcoin, while the ransom is doubling every two hours. Companies grappling with these issues absolutely should be engaged in exercises designed to walk them through these hypothetical scenarios.

Silver: With the new administration, it will be interesting to see how regulations develop in this area. The New York Department of Financial Services just came out with rigorous new cybersecurity regulations, and I expect that more agencies will do the same. It will be good to have more concrete guidance, but the downside is that the requirements will become more rigid as a result, which will further complicate compliance with applicable rules.

Published .