In a recent speech at the Georgetown Cyber Security Law Institute, Assistant Attorney General Leslie Caldwell outlined the recent activities of a new Cyber Security Unit created within the Justice Department’s Computer Crime and Intellectual Property Section (“CCIPS”). Her speech not only shed light on the new Unit’s mission, but also reinforced the recent message that companies victimized by cyber crime should cooperate with post-breach government investigations.
The DOJ’s New Cyber Security Unit
The Unit was formed as part of the DOJ’s initiative to work closely with the private sector and other federal agencies to combat cybercrime. Assistant AG Caldwell explained why the DOJ felt the need for a unit dedicated to cyber security:
First, cybercrime and cyber security have always been linked. Vulnerabilities in hardware and software and inadequate implementation of security protocols are what facilitate cybercrime. The tradecraft used by cybercriminals tells us something about the state of cyber security. In creating the Unit, we hope to use the lessons that CCIPS has learned and the skills that its prosecutors have gained from investigating and disrupting cybercrime to create actionable guidance and to support public- and private-sector cyber security efforts. Furthermore, by creating a dedicated Cyber Security Unit we can better ensure that cyber security receives the consistent, dedicated attention that it requires.
Assistant AG Caldwell stressed that corporate awareness of the nature of cybercrime, a willingness to report cybercrime early, cooperation with the Justice Department, and internal preparedness were critical to defeating cybercrime. “For years, CCIPS has been providing other government agencies with legal advice on how to lawfully implement their cyber security programs.” The new Unit expands the Department’s mission to analyze and provide legal guidance to businesses when cyber security issues implicate criminal statutes such as the hacking statute, the Wiretap Act and ECPA and actively engage the private sector, security researchers, privacy advocates and the public at large to address legal challenges related to cyber security. Caldwell also outlined the Unit’s outreach activities to the private bar, computer security researchers, industry groups and trade associations, financial institutions and other private-sector companies which have included:
-
Conducted a public discussion with leading security experts from different backgrounds on the subject of active defense. A summary of that discussion can be read on the Unit’s website at www.cybercrime.gov
-
Held a roundtable with leading private-sector data breach response practitioners from around the country discussing ways in which the DOJ could assist, and collaborate with, the private sector in cybercrime prevention and response. The DOJ stressed the benefits of promptly reporting data breaches to law enforcement. Caldwell explained the Unit considered how other agencies will factor a victim company’s cooperation with law enforcement into decisions they make when investigating a breach. Unsurprisingly, those who cooperate early will be looked upon more favorably. As recently discussed here, the FTC has also issued a statement urging cooperation by companies that suffer cyber attacks.
-
Published cyber guidance targeted to businesses that have been victimized by cyber attacks and data breaches. The publication, “Best Practices for Victim Response and Reporting of Cyber Incidents”, was released in April 2015 and is discussed here. Noting that it has been well received, Caldwell said, “Consistent with the mission of the Cyber Security Unit, the guidance draws upon prosecutors’ experience in investigating and prosecuting cybercrime. It also includes input from private-sector organizations that have handled cyber incidents. It captures common sense, prudent measures that organizations should voluntarily institute to prepare for and respond to a cyber-incident. It provides step-by-step advice on the measures that organizations should take before, during and after a cyber-incident. At each stage, it supplies specific examples of the manner in which these steps might be taken.”
DOJ Urges Victims to Cooperate with Post-Breach Investigations
Assistant AG Caldwell’s speech is noteworthy to businesses and their attorneys for a couple of reasons. First, it explains the mission of the Justice Department’s newest unit in the fight against cyber-crime. It highlights the willingness of the DOJ to provide businesses and the public in general with guidance in preparing for and defending against cyber-attacks and the appropriate actions that can be taken without coming into conflict with hacking statutes.
Also, the DOJ’s plea to businesses for cooperation has teeth. The FTC’s recent statement regarding the speed with which a business alerts law enforcement to a cyber-attacks and how cooperative that business is during an investigation of its safeguards and protocols will certainly affect the way that business is treated by regulators.
Finally, Caldwell’s speech again highlights the need for businesses that hold protected consumer personal information to become better educated on the mechanisms of cyber-theft and to have a ready response plan to deal with a breach. The standard of care bar is being raised right now, so be ready.
