U.S. Department of Justice Releases Report Identifying “Best Practices” for Victim Response and Reporting of Cyber Incidents
May, 2015 - Ronald W. Breaux, David Siegal, Emily Westridge Black, Timothy Newman, Gregory C. Salton
Last week the U.S. Department of Justice’s Cybersecurity Unit (“DOJ”) issued guidance to organizations concerning preparing for, responding to, and remediating cyber incidents. DOJ based its publication on lessons learned by federal prosecutors who handle cyber investigations and prosecutions, as well as feedback from private sector victims of cyber attacks and intrusions.
DOJ’s report suggests “best practices” for anticipating a potential cyber incident, as well as for responding during, and recovering after, a cyber incident.
Preparing for a Potential Cyber Incident
DOJ’s report emphasizes the importance of establishing appropriate plans, procedures, and policies in advance, both for shielding an organization’s critical assets and data from a cyber incident, as well as for initially responding to a cyber incident. Although specific plans, procedures, and policies will vary depending on each organization’s size, structure, and the nature of its business, DOJ identified, among others, the following preventative best practices:
- Identify what assets are “mission critical” to the operation of the organization so that the organization can determine where it needs to focus its protection efforts. These critical assets can be protected by layers of security, including,e.g., restricted access rights, multi-factor authentication, and firewalls.
- Create, and test with simulated exercises, a detailed incident response plan that sets forth policies and procedures to follow in the event of a cyber incident. The plan should have responses tailored to different types of potential incidents (e.g., spear phishing, denial of service attacks, or device theft or loss).
- Have in place the technology and services necessary to respond to a cyber breach (e.g., off-site data back-up, intrusion detection capabilities, and/or traffic filtering or scrubbing devices).
- Regularly monitor network traffic for unusual or unexplained activity.
- Retain legal counsel familiar with cyber incident management and response issues.
- Ensure other organizational policies (e.g., human resource policies, personnel policies, and information technology policies) are aligned with the incident response plan.
- Establish a relationship with law enforcement and other organizations that share cyber-threat information.
Responding to a Cyber Incident
Even the most prepared and cautious organization may fall victim to a cyber intrusion. As important as it is to establish a cyber incident response plan in advance, an organization must still properly identify and assess a cyber incident as quickly as possible, and effectively execute the organization’s incident response plan. DOJ identified the following best practices for implementing a response plan following a cyber incident:
- Immediately assess the nature and scope of the cyber incident in order to determine the type of assistance and remedial efforts that may be required.
- Take necessary steps consistent with the response plan in order to minimize continuing damage.
- Collect and preserve evidence related to the cyber incident.
- Notify the appropriate individuals and organizations, including key personnel within the organization, applicable law enforcement authorities, and other potential victims.
In the Aftermath of a Cyber Incident
In the aftermath of a cyber attack or intrusion, an organization should remain vigilant. Some of the do’s and don’ts identified by DOJ include:
- Do not use any system that you suspect is compromised.
- Do not “hack back” or otherwise attempt to access, damage, or impair a system that appears to be involved in the cyber attack on your organization, as such a response might itself violate federal and/or state laws.
- Do remain alert, continuing to monitor your systems for any abnormal activity, as cyber intruders may attempt to regain access to previously compromised networks.
- Do conduct a comprehensive review of the attack and initiate measures to prevent similar attacks from occurring in the future.
- Do assess the performance and effectiveness of the organization’s incident response plan, procedures, and policies, and take any required remedial steps.
Although regular readers of our alerts will be familiar with the recommendations outlined in DOJ’s publication, companies should review DOJ’s guidance to refresh themselves on best practices for preventing, responding to, and remediating a cyber breach. Haynes and Boone can advise you regarding these practices and others aimed at reducing cyber risk and liability.
Link to article