There are specific state and federal laws that require companies to disclose when they have had a data breach, but there are few actual requirements to notify a law enforcement agency when a criminal cybersecurity incident takes place. However, it’s in your best interest to contact a law enforcement agency if an incident or breach that is criminal in nature is suspected. (Note that reporting a potential criminal cybersecurity incident to law enforcement is not the same thing as disclosing a data breach to a federal or state agency.)
First, let’s start with some definitions.
Is it a “breach,” or merely an “incident”?
Sometimes the words “incident” and “breach” are used interchangeably. However, the U.S. Department of Justice (DOJ) makes a distinction between the two terms.
According to the DOJ, an incident is “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores or transmits, or that constitutes a violation or imminent threat of violation of security policies, security procedures, acceptable use policies or standard computer security practices.”
The DOJ defines a breach as “The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to information, whether physical or electronic. It includes both intrusions (from outside the organization) and misuse (from within the organization).”
When is a cyber event a criminal offense?
Shawn Tuma, attorney with the Texas law firm Scheef & Stone, LLP, specializes in cybersecurity law. According to Tuma, not every cybersecurity incident is criminal in nature. In his blog post Guide To Reporting Cybersecurity Incidents To Law Enforcement And Governmental Agencies, he writes:
“There are two primary causes of breach events: (1) Intentional wrongdoing such as when an outside “hacker” penetrates the network and steals information, or when an employee intentionally accesses and takes forbidden information for his own purposes, both of which are generally considered criminal act; or (2) Carelessness or negligence such as when a company insider misplaces an unencrypted USB thumb drive containing PII information.
“Whether an event is considered to be an incident or a breach is determined by the nature of the event, not what caused it. Whether an event is considered to be criminal or negligence is determined by the actions that caused the event. Some incidents will be criminal but not a breach; some breaches will be negligence but not criminal. Both situations described above are breaches though the first was caused by a criminal act and the second was a result of negligence.
“Criminal actions should be reported to law enforcement. There may be situations where a negligence-based situation should be reported to law enforcement but this will be determined on a case by case basis.”
Tuma recommends that in all but the most extraordinary of circumstances, companies should report cybersecurity incidents or breaches that are criminal acts to law enforcement as soon as possible. Criminal actions that may have caused a cybersecurity incident are crimes that are no different than if someone were robbed on the street, and they should be treated as such.
The role of law enforcement in investigating cybercrime events
With limited resources available, law enforcement is not able to aggressively pursue every case, or even take every case—but that doesn’t mean you shouldn’t report your case to law enforcement officials. For most agencies, their primary role is to protect society, investigate crimes, enforce criminal law, and hopefully, catch the bad guys and help bring them to justice. Certainly, cases that involve threats to national security, public health and safety, and critical infrastructure are of high interest to federal law enforcement authorities.
Law enforcement will do what they can, within reason, to help victim companies recover from an incident, but this is not their priority. Oftentimes, law enforcement’s pursuit of their primary role works hand-in-hand with the victim company’s objectives of learning how an incident occurred and recovering information that was taken.
In most cases, federal law enforcement authorities are going to have the best capabilities and resources to pursue cybersecurity incidents. The United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) are designated as having concurrent jurisdiction to investigate “computer fraud” incidents under the Computer Fraud and Abuse Act. The FBI is designated as having primary jurisdiction over certain areas involving espionage, foreign counterintelligence, national defense, foreign relations, or certain restricted data.
Both the USSS and the FBI conduct regular outreach to private companies and other organizations likely to be targeted for intrusions and attacks. Such outreach occurs mostly through the FBI’s InfraGard chapters and Cyber Task Forces in each of the FBI’s 56 field offices, and through the U.S. Secret Service’s Electronic Crimes Task Forces.
The Department of Homeland Security has components dedicated to cybersecurity that not only collect and report on cyber incidents, phishing, malware, and other vulnerabilities, but also provide certain incident response services. The National Cybersecurity & Communications Integration Center (NCCIC) serves as a 24×7 centralized location for cybersecurity information sharing, incident response, and incident coordination. By contacting the NCCIC, you can both share and receive information about an ongoing incident that may prove beneficial to your organization as well as the government. You also may obtain technical assistance capable of mitigating an ongoing cyber incident.
Some states’ data breach notification laws have a reference to reporting the breach to law enforcement and obtaining a “police report” as part of the notification process. Many times, the simplest and easiest way to do this is to report the cybersecurity incident to state or local law enforcement authorities. Oftentimes this is a perfunctory matter that is done to ensure compliance with this “check the box” process but nothing substantive really comes from making such a report. In most cases, state and local law enforcement simply don’t have the resources or the expertise to investigate a cyber incident.
Attorney Shawn Tuma outlines various reasons for working with law enforcement after a criminal cybersecurity event:
- Agencies can compel third parties to disclose data (such as connection logs) necessary to understanding how the incident took place, which can help a company better protect itself.
- Law enforcement may be able to use legal authorities and tools that are unavailable to non- governmental entities and to enlist the assistance of international law enforcement partners to locate stolen data or identify the perpetrator. These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data.
- Early reporting to and cooperation with law enforcement will likely be favorably considered when a company’s responses are subsequently examined by regulators, shareholders, the public, and other outside parties (i.e., cooperating with law enforcement increases the victim company’s credibility).
- Law enforcement might be able to get brief delays in breach reporting requirements so that they can pursue active leads.
- A successful prosecution prevents the criminal from causing further damage and might deter others from trying.
- Information shared with investigators might help protect other victims, or even other parts of the same organization, from further loss and damage.
- Reporting the crime might be a requirement of a cyber insurance policy.
The Department of Justice recommends that you attempt to establish a relationship with your local federal law enforcement offices long before you suffer a cyber incident. Having a point of contact and a pre-existing relationship with law enforcement will facilitate any subsequent interaction if you need to enlist law enforcement’s assistance. It also will help establish the trusted relationship that cultivates bi-directional information sharing that is beneficial both to your organization and to law enforcement. What’s more, the NIST Special Publication 800-184 Guide for Cybersecurity Event Recovery indicates you should have a pre-established secure communication channel with external law enforcement to share and discuss the detection, response and recovery steps.
Stacy Stevens, Unit Chief of the FBI’s Mission Critical Engagement Unit, encourages companies to get a point of contact within the FBI prior to an incident. “The first time that you talk to the FBI should not be when an incident occurs. At that point, you’re already behind the eight ball,” says Stevens. “The FBI has 56 field offices throughout the United States, and each one of those field offices has a Cyber Task Force (CTF) and also InfraGard, which is one of the main ways we interact with private industry. Your local InfraGard coordinator can help you connect with a CTF member.”
Stevens stresses the importance of private industry organizations having an incident response plan in place that includes who to call in the event of a cyber or any other type of incident. “When you are proactively talking to law enforcement and you develop a relationship, be sure to include that agency in your incident response plan as someone to notify if you have an event,” says Stevens.
Report Your Incidents
In terms of what types of cyber incidents should be reported to the FBI, Stevens says the agency looks at activity ranging from nation-state intrusion to criminal attacks. “If you’ve been intruded upon, you should contact law enforcement so we can get an understanding of what has gone on,” says Stevens. “The FBI is going to look at who conducted the attack. We look for attribution, and what their tactics, techniques and procedures were to get in. For the good of industry as a whole, and the United States as a whole, if we can figure out who is doing this, then we know how to stop it in the future.” This type of information might possibly be shared with other organizations through InfraGard to help protect them by making them aware of known threats.
If your incident is a crime (and not simply negligence), you should report it to the FBI’s Internet Crime Complain Center (IC3) at www.IC3.gov. This is a reliable and convenient mechanism to report information to the FBI. However, you should still call your local FBI field office for serious matters.
|Organization and Key Points of Contact||What to Report|
|U.S. Department of Homeland Security (DHS)|
|National Protection and Program Directorate (NPPD)|
|National Cybersecurity and Communications Integration Center (NCCIC) (http://www.dhs.gov/about-national-cybersecurity-communications-integration-center)
NCCIC@hq.dhs.gov of (888) 282-0870
|Suspected or confirmed cyber incidents that may impact critical infrastructure and require technical response and mitigation assistance|
|United States Secret Service|
|Secret Service Field Offices (http://www.secretservice.gov/field_offices.shtml)
Electronic Crimes Task Forces (ECTFs)
|Cybercrime, including computer intrusions or attacks, transmission of malicious code, password trafficking, or theft of payment card or other financial payment information|
|Immigration and Customs Enforcement Homeland Security Investigations (ICE HIS)|
|ICE HIS Field Offices (http://www.ice.gov/contact/inv/)
ICE HIS Cyber Crimes Center (http://www.ice.gov/cyber-crimes)
|Cyber-based domestic or international cross-border crime, including child exploitation, money laundering, smuggling, and violations of intellectual property rights|
|U.S. Department of Justice (DOJ)|
|Federal Bureau of Investigation (FBI)|
|FBI Field Offices (http://www.fbi.gov/contact-us/field)
Cyber Task Forces (https://www.fbi.gov/file-repository/cyber-task-forces-fact-sheet.pdf/view)
Law Enforcement Online Portal (https://www.cjis.gov/CJISEAI/EAIController) or (888) 334-4536
Internet Crime Complaint Center (IC3) (https://www.ic3.gov/default.aspx)
Cybercrime, including computer intrusions or attacks, fraud, intellectual property theft, identity theft, theft of trade secrets, criminal hacking, terrorist activity, espionage, sabotage, or other foreign intelligence activity