“Dear Mary” is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related — data breaches, forensic investigations, how to respond to regulators, and much more. “Dear Mary” goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.

Drop us a line with any cyber-related question you would like answered — whatever may keep you up at night — and we’ll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice — always consult with an attorney (preferably one of ours!) before acting on anything you read here.

Thank you for reading!

Dear Mary,

I recently experienced a security incident at my company and am considering whether to report it to law enforcement. While I want to cooperate and help catch the cybercriminals responsible, I am worried that law enforcement might come after my company for... I am not exactly sure what.

What should I do?

– Not Guilty

August 21, 2024

Dear Mr. Guilty — pardon me — Not Guilty,

Your hesitancy to engage law enforcement is not uncommon. Many businesses are intimidated by the thought of interacting with law enforcement, especially during an active security incident. Let me provide some clarity to hopefully give your not-guilty conscience some peace of mind.

Law enforcement’s primary interest in security incidents is to pursue the threat actors or cybercriminals responsible. Typically, the client or victim is not the target of their investigation efforts. However, because the cybercriminal may have been lurking in your systems, you may have valuable information to share. This includes indicators of compromise (IOCs), information pertaining to the threat actor’s techniques, tactics, and procedures (TTPs), and the like. Therefore, law enforcement may be interested in speaking with you.

If you decide to notify law enforcement, here are a few tips to keep in mind:

1. Law Enforcement’s Capacity: Law enforcement agencies are often busy and may not get involved in every case. It’s not uncommon to report an incident and never hear back. However, if your incident involves a specific threat actor gang or issue that law enforcement has shown interest in, you may be fortunate enough (is that the right phrase?) to receive a response.
2. Optics: Notifying law enforcement can be beneficial from an optics perspective. It may demonstrate to affected stakeholders that you are taking the matter seriously and are committed to addressing the issue.
3. Nonprivileged Communications: Remember that your communications with law enforcement are not privileged. Where possible, leverage your cybersecurity counsel to navigate these conversations for you. They likely have significant experience in interacting with law enforcement and may have valuable contacts within the agencies to facilitate reporting.
4. Confidentiality Concerns: Based on law enforcement’s prior history, it’s not guaranteed that your report will remain confidential. The information could be shared with regulators and even the public, so craft any notice you intend to submit with this in mind.
5. Cooperation: Should you have valuable information or forensic artifacts to share, law enforcement may request a certain level of assistance and cooperation from you as part of their investigation. Depending on their needs, this could require a significant commitment of time and resources on your part. You may also need to consider whether the requested cooperation involves disclosing any confidential or proprietary information. For example, if you’re asked to turn over certain systems or machines involved in the security incident, consider the types of data stored within those machines and what steps you may need to take to ensure that the disclosure is permitted.
6. Report to the Right Agency: Consult with your cybersecurity counsel to determine which law enforcement agency is most appropriate to notify. For example, ransomware attacks are typically reported to the FBI, while the Secret Service is particularly skilled in handling wire fraud and business email compromise (BEC) incidents. Ensure you report to the right agency to maximize the effectiveness of your response.
7. Law Enforcement Delay: While we’re jumping ahead a bit, discuss with your counsel what a “law enforcement delay” entails. In the context of breach notification, law enforcement agencies may request that you delay sending any breach notification letters if issuing such letters would impede a related investigation. Naturally, they can only make this request if they are aware of the incident, which may be a reason to consider notifying them.

Also keep in mind that while many businesses choose to notify law enforcement out of an abundance of caution, there are circumstances where notifying law enforcement is strongly encouraged or even legally required. This includes situations where businesses are paying a ransom or are subject to certain regulatory frameworks that mandate notification.

Overall, coordinating and cooperating with law enforcement can be a positive and friendly experience, given their primary objective of taking down the cybercriminal. Just ensure you consider the points mentioned above as you navigate reporting and any subsequent discussions.

Yours truly,