On April 29, 2015, the Department of Justice’s new Cybersecurity Unit within the Computer Crime and Intellectual Property Section issued guidance on “Best Practices for Victim Response and Reporting of Cyber Incidents.” The “Best Practices” document offers some insight about the DOJ’s expectations with respect to preparing for and responding to cyber attacks. The “Best Practices” can be summarized into three categories.
1) Steps to Take Before a Cyber Intrusion or Attack Occurs
- Prepare Now. Trying to develop a data breach response plan in the midst of a data breach is next to impossible. Develop a plan tailored to your organization now.
- Identify the “Crown Jewels.” Adopt your plan so that the information, data, assets, or services most valuable to your organization are protected.
- Invest in Technology and Personnel. Your organization should have the technology and services it will need to respond to a cyber incident. Tech-savvy consultants and legal counsel with knowledge and experience is helpful. These same professionals will be ready to assist when a data breach occurs.
- Assign Responsibilities and Train Personnel. The best response to a cyber attack involves swift action. Accordingly, a response plan must be clear on who is responsible for implementing the plan. Train those people now. Conduct trial runs or drills so that gaps in the response plan are identified.
2) Responding to a Computer Intrusion by Executing Your Response Plan
- Assess the Damage. Executing a response plan requires you to assess the nature and extent of the data breach.
- Stop the Bleeding. Ensure the cyber attack is shut down. IT professionals are best equipped to do what is necessary to isolate, reroute, block, close or quarantine.
- Preserve Information. Affected hardware and software should be preserved. Make a “forensic image” of affected computers.
- Notify Affected Persons. Notification to affected individuals and entities, as well as law enforcement, will ensure that certain legal obligations are met. Notice to law enforcement will garner appropriate government resources.
3) Recovering from a Cyber Incident
- Assess and Revise. Assess the good and the bad of the response plan. Identify how to strengthen the plan from top to bottom.
- Remain Vigilant. Continue monitoring the organization’s network. Do not assume immunity from attack simply because you have experienced one. Repeated attacks occur.
The DOJ’s “Best Practices” is a helpful resource when developing a response plan for combatting cyber incidents. The message is clear: organizations without a cyber security plan should develop one. In fact, having a plan and following it may be viewed favorably by the DOJ in the event the government inquires about a cyber incident.