Legal and Financial firms should be aware of and understand the guidance offered by the U.S. Department of Justice, Criminal Division, Cybersecurity Unit, titled “Best Practices for Victim Response and Reporting of Cyber Incidents” which was issued last Friday, April 29, 2015.
We sit up and pay attention when Executive Departments with legal mandates issue guidance, and, in this case, we believe the DOJ Cybersecurity Unit has made important additions to, or helped summarize, the concepts of Response and Recovery Planning.
Compliance, Legal, and the Executive level needs to be aware of these steps and associated action items.
The formation of the DOJ Cybersecurity Unit was just announced at the year-end, and we have described the trend of Agency Task Forces popping up, then issuing critical guidance. This was mentioned with respect to the National Insurance Association of Commissioners (NAIC) and the American Bar Association (ABA).
While many Agencies and Associations are issuing guidance on disclosure of breach, the DOJ guidance is more granular and can be added to, or considered in light of, existing best practices with respect to Incident Response and Recovery.
The DOJ describes the basic mission of its Guidance as follows:
This “best practices” document was drafted by the Cybersecurity Unit to assist organizations in preparing a cyber incident response plan and, more generally, in preparing to respond to a cyber incident. It reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery. It also incorporates input from private sector companies that have managed cyber incidents. It was drafted with smaller, less well-resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it.
We at Artemis would further underscore that, like almost all Agency and department guidance issued in the past few months, the DOJ endorses the NIST Cybersecurity Framework, which adds to the growing body of evidence that a minimum standard of care is being created and what started as “voluntary” may soon become “mandatory” in order to reduce liability.
The Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) provides excellent guidance on risk management planning and policies and merits consideration.
The DOJ Guidance focuses on steps to take before intrusion, such as well-understood best practices, and executing your Plan in the event of an incident. Clients will be well aware of some or the recommended best practices for preparation, such as:
- Data Classification;
- Backup; and
- Use of Data Loss Prevention Techniques.
In addition to addressing familiar technical best practices, the DOJ Guidance, as one might expect, also focuses on important legal issues such as:
- User Consent;
- The Role of the General Counsel;
- The Importance of Legal Advice; and
- Engaging with Law Enforcement Prior to an Incident.
The DOJ Guidance goes on to define minimum steps that should be taken in the event of an incident and once your Plan has been put into action. Some of these steps include:
- Initial Assessment (specific actions to take at the time of breach discovery);
- Implementing Measures to Minimize Continuing Damage (rerouting traffic, filtering, isolating);
- Recording and Collecting Information (imaging, locating previous backups for comparison);
- Maintaining Information related to the incident;
The Guidance states explicitly that:
The victim organization should keep detailed records of whatever steps are taken to mitigate the damage and should keep stock of any associated costs incurred. Such information may be important for recovering damages from responsible parties and for any subsequent criminal investigation.
Clients, both Legal and Financial, should know that further important suggestions for Notification, things “Not to Do” and steps for closure are contained. Finally, the DOJ has included a helpful “Cyber Incident Preparedness Checklist” which ties closely to preparation processes and summarizes pre and post-breach considerations.
This DOJ Guidance will be further discussed in our May 21 Webinar: The SEC’s Cybersecurity Guidance: Monitoring Solutions for a Regulated Future
Action Items for Clients:
- Review this Guidance with your Information Security Committee or comparable Risk Management mechanism, and make sure Compliance, Legal, and IT all have a clear understanding of the suggested steps;
- Consider additions to your personnel policies for User Consent and the direct role of the General Counsel;
- Review your existing Cybersecurity Framework with the concept of expanding specific functions like Respond and Recover in mind;
- If you have not implemented a cybersecurity framework, consider the NIST Cybersecurity Framework, which is, again, discussed in the Guidance in coordination with steps recommended by the DOJ.
For Further Reading: (Links will open in a new window)
Please see Lyman Terni’s posts related to Response and Recovery and our White Paper: Five Reasons to Consider the NIST Cybersecurity Framework.
Artemis advises clients on disruption management including Incident Response, Recovery Plans, custom Framework Implementation, Breach Coordination, Policies and Procedures, and related regulatory issues.