The U.S. Department of Justice is stepping up its program to engage more actively with the private sector on dealing with cybercrime and cybersecurity breaches.
“We in government know that we cannot go it alone in fighting cybercrime. We need a strong partnership with you in the private sector,” Assistant Attorney General Leslie Caldwell recently said at a DoJ-sponsored Cybersecurity Industry Roundtable.
As head of the head of DoJ’s Criminal Division, Caldwell late last year launched a special Cybersecurity Unit within the division’s Computer Crime and Intellectual Property section. While the division had been tracking cybercrime for more than 20 years, Caldwell created the new unit “to enhance public and private cybersecurity efforts.”
At last month’s roundtable, DoJ issued a special guidance document directed to commercial private sector entities with advice on how to prevent cyberintrusions, and how to deal with breaches when they occur. The suggestions include both legal and technology-oriented measures. Adoption of the recommendations could pay off not only in deterring cybercrime, but also in limiting legal liability when breaches occur.
Protecting the Crown Jewels
Among the DoJ suggestions for preventing a cyberattack:Set priorities: Identify mission critical-data assets, referred to by DoJ as the “crown jewels,” and institute a tiered approach to protect those assets. Approaches should include risk-management tools such as those recommended by the National Institute of Standards and Technology.
Develop a Plan: Create an actionable incident-response plan that includes testing the plan with exercises, as well as a system for updating the plan. Ensure that technology for dealing with incidents is in place or easily obtainable.
Utilize Non-Technology Components: Engage legal counsel with expertise in cyberincident issues; align human resources policies with incident response plans; develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cybersecurity firms.The Justice Department also offered some suggestions for businesses on what to do during a cyberattack or intrusion:Assess damage: Organizations experiencing a breach should make an initial assessment of the scope and nature of the incident to determine, in particular, whether it is a malicious act or a technological glitch, and take steps to minimize continuing damage consistent with the organization’s cyberincident response plan. In addition, the breach victim should collect and preserve data related to the incident — including logs, notes and other records — and image the network.
Send notifications: Consistent with the incident response plan, the victim organization should notify appropriate management personnel internally, as well as law enforcement, other possible victims, and the Department of Homeland Security.
Shut down: Affected organizations should not use compromised systems to communicate, and they absolutely should not try to “hack back” or intrude upon another network. The mere fact the Justice Department is engaging in an outreach program — and especially that it has issued the guidance — could be helpful in establishing some benchmarks for e-commerce businesses in terms of establishing clarity about appropriate measures for cyberprotection.
“The DoJ guidance says that it is specifically drafted for smaller and less-resourced entities that would not necessarily have robust capabilities to handle cyberincidents on their own,” said David Fagan, a Covington partner who specializes in privacy and data security law.
“However, the principles and recommended action items in the guidance generally reflect well-accepted best practices,” he told the E-Commerce Times, “and to that end, may be useful for organizations of all sizes.”
Guidance Helpful but Not Binding
“As with most of the guidance that we have seen from federal agencies on cybersecurity issues of late, the DoJ document is meant to be looked at and applied through the lens of the size of the particular business and the scope of the risk. It’s also intended to focus companies’ attention on getting to know what that risk is, and how to address it pre-breach,” said Cynthia Larose, chair of the security law practice at Mintz Levin.
The value of the DoJ document, beyond the level of a best-practice advisory and as a definitive legal standard, is a bit more problematic.
“Since this is guidance and does not have the force of law, no legal liability attaches to whether a company actually adopts the measures suggested, and the extent of any company’s exposure is always a facts-and-circumstances discussion,” Larose told the E-Commerce Times.
“In the absence of any express statutory liability protection, the potential for legal liability from any breach turns on a number of factors: the actual facts of a breach; the size and scope of a breach; whether it is likely to attract attention from the plaintiffs’ bar; and whether the breach results in a regulatory investigation,” Covington’s Fagan noted.
In a legal context, “if an entity is able to demonstrate that it followed the guidance, that may be a helpful factor in defending against certain liability claims, but it will not necessarily be dispositive,” he said.
“Given the preponderance of this type of guidance from regulatory agencies, and the fact that some states are now incorporating — or proposing to incorporate — a requirement for ‘reasonable security’ into their data breach laws,” said Larose, “it is more likely than not that a company that in fact makes a good faith effort to work with the DoJ Guidance, the NIST Framework, and other industry standards to adopt and execute a cybersecurity plan will stand a better chance if potential legal action were to result in the wake of a data breach.
“We think it’s safe to say that doing nothing is no longer a viable option,” she added.
A Role for 3rd-Party Technology
Although the DoJ did not directly suggest this step, companies involved in e-commerce “should also develop a relationship with cybersecurity and forensic experts — like Cylance, Mandiant or KPMG — who can not only provide pre-breach intelligence and planning assistance, but can also be quickly available to help respond to a breach,” Larose wrote in a blog post.
“Engaging with technical resources and consulting firms to assist with risk assessment and gap analysis can provide valuable intelligence to companies in a pre-breach scenario. An independent look at infrastructure, network configuration, and benchmarking against industry peers can help a company shore up its offensive blocking and tackling against bad actors or internal threats,” she told the E-Commerce Times.
“It’s part of our ‘the best defense is a good offense’ strategy for dealing with cybersecurity,” Larose said.
Depending on the scope of network infrastructure and the sensitivity of information, companies should consider whether they want their first engagement with a security expert or experienced privacy counsel to be when they are actually in the throes of a security incident, she cautioned.
The use of such expertise does not mean that standard software and preventive technologies are insufficient.
However, “a third-party technical assessment can evaluate which solutions have been implemented, whether they are effective, and make recommendations based on an experience set that a company may not have access to otherwise,” Larose pointed out.
In addition to DoJ’s Caldwell, newly appointed U.S. Attorney General Loretta Lynch also spoke at the April roundtable.
“We have a mutual and compelling interest in developing comprehensive strategies for confronting this threat, and it is imperative that our strategies evolve along with those of the hackers searching for new areas of weakness.” she said.
“But we can only meet that challenge if law enforcement and private companies share the effort and work in cooperation with each other,” Lynch remarked.
Participants in the roundtable were invited by DoJ, she noted.
“The list of attendees has not been provided publicly,” DoJ spokesperson Peter Carr told the E-Commerce Times, b”ut they included practitioners from the private bar, incident response firms, accounting firms and consultancies.”