On April 29, 2015, the U.S. Department of Justice Computer Crime and Intellectual Property Section (“DOJ”) issued version 1.0 of its “Best Practices for Victim Response and Reporting of Cyber Incidents.”  It draws on “lessons learned by federal prosecutors while handling cyber investigations and prosecutions” in order to help small to medium sized organizations plan for a potential data breach. While taking a different approach from last year’s National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, the DOJ’s new guidance now makes it abundantly clear that there are baseline expectations of cybersecurity readiness and data protection for any organization connected to the internet. These expectations may also impact the legal standard of care in cybersecurity and data privacy litigation in the future.

The DOJ divides its guidance to emphasize what an organization should do before, during, and after a cyber-attack or intrusion. The weight of its recommendations address incident prevention. Organizations are advised to adopt internal risk management procedures and invest in necessary technology and knowledgeable personnel to monitor potential threats and respond quickly to an attack or intrusion. If resources are limited, an organization should identify the “crown jewels” of its data assets and focus its protections there. Just as with physical safety threats, organizational policies should cross-reference and incorporate a cyber incident response plan, and managers should proactively develop relationships with cyber divisions of law enforcement agencies. At the very least, an organization with assets connected to the internet should take steps to understand its vulnerabilities and have a plan for the eventuality of a compromising cyber event.

During a cyber-attack, the DOJ counsels organizations to focus on defense, rather than offense. Notably, organizations are forewarned against employing a “hack back” strategy, or launching retaliatory attacks on other networks. Rather, personnel in charge of data asset security should work to minimize damage during an attack and keep comprehensive records of the event to improve organizational security and report to law enforcement. When an attack is apparently over, personnel should continue monitoring for strange network activity and use the event as an opportunity to revise cyber incident response plans.

These best practices may sound intuitive, but they reinforce a growing consensus that public and private organizations alike must take certain basic steps to address the evolving threats to data security.  The notion that “my company is too small and unimportant to be a cyber-attack target or data breach risk” is dangerously naïve (and just plain wrong) in today’s cyber-threat ecosystem.  Organizations that fail to take reasonable steps to prepare for and protect against cyber-attacks will be viewed as risky business partners and left out of future business opportunities.  Even worse, once those unprepared organizations do experience a cyber-attack and data breach, they may be exposed to significant liability for failing to meet certain basic cyber security best practices – such as those just announced by the DOJ.

Indeed, organizations that suffer future data breaches after failing to follow the DOJ’s data security guidance will likely have some serious explaining to do to regulators, plaintiff lawyers, shareholders and other interested parties.