On September 27, 2018, as part of the Department of Justice’s (DOJ) cybersecurity roundtable discussion, the DOJ’s Cybersecurity Unit issued Best Practices for Victim Response and Reporting of Cyber Incidents (the Best Practices), including a Cyber Incident Preparedness Checklist. As noted by the DOJ, the Best Practices do not have the force of law, and they are “not intended to have any regulatory effect.” Regardless, the Best Practices provide insight into the DOJ’s concerns with respect to cybersecurity and its expectations regarding organizations’ levels of effort on cybersecurity.
The newly published Best Practices are an update to the Best Practices issued in April 2015. Notable items in the updated Best Practices are:
- Integration of CISA to the Best Practices: The Best Practices incorporate the Cybersecurity Information Sharing Act of 2015 (CISA), which “provides private entities with broad authority to conduct cybersecurity monitoring of their own networks, or a third party’s networks with appropriate consent.” CISA provides an exception to other potentially conflicting laws, such as the Wiretap Act and the Pen Register/Trap and Trace Act, as long as the CISA requirements are met. Under CISA, private entities are permitted to monitor information or an information system for a “cybersecurity purpose,” which means a “purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” CISA is also meant to promote sharing information about cybersecurity threats by affording protections to private entities against certain liabilities (as long as CISA requirements are met).
- Descriptions of basic cybersecurity procedures: The Best Practices describe several protocols as basic cybersecurity procedures. Specifically, they recommend: (i) a reasonable patch management program to address software vulnerabilities; (ii) access controls and network segmentation to limit the data at risk; and (iii) maintenance of copies of server logs
- Importance of improving familiarity with related issues on an organizational level: The Best Practices also highlight the importance of an organization’s awareness of and familiarity with cybersecurity risks and its incident response plan, including regular briefings about threats and risk management strategies to senior management and regular exercises for the incident response plan (for example, real-time enactments, tabletop discussions).
- Acknowledgment of the role of third parties in data management: As part of the guidance to identify an organization’s critical high-priority data security items, the Best Practices now suggest evaluating threats stemming from “the use of contractors, service providers, and other outside agents that host an organization’s data and/or have access to its network, data, or resources (e.g., third-party vendors, law firms, and clearinghouses).”
- Observation of the increased role of incident response firms: The Best Practices now provide guidelines on incident response firms, noting that organizations often rely on outside incident response firms to respond to cybersecurity events. They state that such incident response firms should be able to collect and preserve affected data and evidence in a forensically sound manner. In addition, the Best Practices note that federal law enforcement may need to coordinate with the incident response firm in connection with their investigations, as such cooperation “will avoid duplication of effort, minimize disruption of the victim organization’s operations, and expedite the investigation.”
- Emphasis on cooperation with law enforcement: Throughout the Best Practices, the DOJ reiterates its desire to cooperate with organizations regarding cyber incidents. It explains the FBI and Secret Service will work to minimize the disruption and harm to the victim organization, and it notes the benefits of communicating with law enforcement, such as being able to safeguard certain sensitive information from unnecessary disclosure. However, each company should evaluate this recommendation on a case-by-case basis as there may be particular risks to consider, depending on the circumstances of the incident, other associated requirements (for example, disclosure laws), and the response strategy.
The DOJ’s updated Best Practices are an attempt to encapsulate the emerging trends in the realm of cybersecurity, including new laws and regulations (that is, CISA), organizational priorities, and the role of third parties in the data and cybersecurity ecosystem. Even though the DOJ reiterates throughout the Best Practices that it does not have a regulatory role in the realm of data breaches, the Best Practices indicate the agency remains engaged with the issue.