DOJ Issues Guidance for Best Practices Before, During, and After a Data Breach
By David Cole
In response to the increasing number of data breaches around the county, and the public attention being given to them, the Department of Justice (DOJ) recently issued a guidance document intended to help organizations prepare for and respond to data breaches. The document, titled “Best Practices for Victim Response and Reporting of Cyber Incidents,” is based on the DOJ’s experience investigating and prosecuting cybercriminals. The guidelines focus primarily on the proactive and reactive measures an organization should take with respect to data breaches.
Consistent with the NIST Cybersecurity Framework, the DOJ guidance recommends that, before any data breach occurs, organizations should conduct a risk assessment to identify and prioritize critical assets, data, and services. In addition, the guidance recommends that organizations develop a data breach response plan that has specific, concrete procedures to follow in the event of a data breach. Once a plan is developed, organizations should test the plan with “table top” exercises, and continually update the plan to reflect changes in personnel and structure. Organizations should also ensure that they maintain necessary technology to detect and respond to data breaches.
In the event of a data breach, the guidance recommends a number of basic steps. It advises organizations to not use compromised systems to communicate once they become aware of a potential data breach. After making an initial assessment of the nature and scope of the incident, the guidelines also suggest that an organization minimize continuing damage to its system by taking steps such as rerouting network traffic, blocking a denial of service attack, or isolating all or part of a compromised network. The organization also should record and collect all evidence and information that it can about the unauthorized access that occurred, which may involve imaging the affected computer and retaining all logs and records of the data underlying the incident. Finally, the guidelines suggest that an organization notify its employees, management, law enforcement (including the Department of Homeland Security), and any potential victims.
The guidelines also warn that, in the event of a cyber-attack, that organizations should not “hack back” or intrude upon the suspect’s network. “Hacking back” may violate a number of laws, and since many intrusions are launched from compromised systems, “hacking back” can damage or impair another victim’s system. The guidance also recommends that victim organizations continue monitoring their networks after a cyber-attack for any unusual activity to make sure that any unauthorized users are really gone. After an incident is over, the DOJ recommends a post-incident review to identify deficiencies in planning and execution of the incident response plan.
Lastly, the DOJ suggests that before, during, and after a data breach, organizations work closely with legal counsel who is experienced in handling data breaches. The use of experienced counsel ensures that an organization will receive accurate advice from counsel who is comfortable with addressing the unique and varied issues that arise from a data breach.