Perspective: How Companies Can Work With the U.S. Government on Cyber Threats

Editor’s Note: The author of this post is a privacy and data security lawyer.

By Edward J. McAndrew, Ballard Spahr, partner

From the malicious to the unintentional, cyber incidents continue to increase in frequency, severity, and cost to companies. The Ponemon Institute estimates that data breaches now cost companies an average of $174 per record, with many breaches running into the high thousands or millions of records. This says nothing of the costs associated with intellectual property theft and disruptive or destructive incidents. Nor does it account for the reputational harm resulting from cyber incidents, which in-house counsel ranked as their top concern in the ACC Foundation’s recent “State of Cybersecurity Report.” As a result, many companies are in constant crisis mode, contemporaneously trying to prevent, respond to, and recover from incidents.

Despite the heightened attention and budgets directed toward cybersecurity, cyber incidents are inevitable. Almost one-third of in-house counsel surveyed by the ACC Foundation have experienced a data breach – most within the past two years. Preparation now for what to do after an incident is therefore a business imperative and increasingly a legal requirement.

Following your discovery of a cyber incident, you will find yourself in one or more of the following roles:

• A crime victim that has been – and often still is being – hacked , looted, outed, sabotaged or extorted.

• A target of governmental privacy and data security regulators.

• A civil litigant sued by consumers, shareholders, business partners, etc.

• A media punching bag often ridiculed for failing to prevent the cyber incident.

In the midst of this crisis, you will likely need to assess whether to involve law enforcement. Federal law enforcement can help you address persistent, advanced and operationally disruptive threats, including containment, attribution, long-term threat elimination or disruption, and evidence gathering and preservation. Law enforcement cooperation can also be used to delay notification to regulators, state Attorneys General, impacted consumers, and others. Law enforcement agencies may even intercede with regulators to delay or dissuade regulatory enforcement action and with foreign counterparts to address the threat.

By contrast, law enforcement involvement may cause you to lose control over data, impacted devices, the investigation and the narrative of incident response. Your employees will likely become involved in the investigation, and your data security history and digital activities may be exposed to investigators. Law enforcement may not share information in as complete or timely a fashion as you would like. You will not be in control of any criminal litigation featuring your company as a public victim. Finally, law enforcement agents may not fully appreciate the business sensitivities, internal dynamics, or organizational equities involved in the incident.

The following eight steps can help you navigate the four competing roles you must play. They will also help mitigate the impact of an incident by constructive engagement of law enforcement and regulators:

1. Make two-way information sharing a key part of your cybersecurity program. Investigate the liability protections and information sharing mechanisms created by the Cybersecurity Information Sharing Act. Participate in cyber outreach and information sharing programs sponsored by the FBI, U.S. Secret Service, DHS, and state and local governments. Join non-governmental groups, including ISACs and ISAOs .

• 3. Create a positive dialogue with data security regulators around regulatory guidance through examinations and other non-enforcement interactions. Study the regulators’ actions and rationales. Do what you say in privacy and data security disclosures and learn how to avoid unwanted attention.

• 5. Establish relationships with federal cyber agents and cyber AUSAs in your areas of operation. Include them in incident response planning and cyber incident exercises.

• 7. Plan ahead for foreseeable regulatory, law enforcement, civil litigation and business issues that will follow the discovery of an incident.

• 9. Prepare incident response investigative, legal, communications and crisis strategies that leverage cooperation with law enforcement to potentially limit or forestall regulatory inquiry, private litigation and other incident consequences. Know whether, when and how to engage law enforcement in cyber preparedness and incident response.

• 11. Develop a track record of reasonable data security practices that you can point to defend your organization.

• 13. Encourage your critical vendors to follow your lead.

• 15. Study the evolving cyber threat landscape, reassess your risk, and adjust your cybersecurity posture accordingly.

Although cyber incidents may be unavoidable, much of the resulting fallout is when proper planning and incident response management occur.