GUIDE TO REPORTING CYBERSECURITY INCIDENTS TO LAW ENFORCEMENT AND GOVERNMENTAL AGENCIES

INTRODUCTION. 

1. The Conundrum of Cybersecurity Law Schizophrenia. 
2. The Importance of Being Prepared: “You Do Not Drown from Falling into the Water.” 
3. The Most Important Point of this Guide. 
4. Limited Scope of Article. 

GOVERNMENT NOTIFICATION OF BREACH. 

1. Government Notification of Breach—Technically Speaking. 
2. Tuma’s Cybersecurity Incident Checklist. 
3. FTC Data Breach Response Guide.
   1. Immediate Steps 
   2. Next Steps 
   3. Send Notification. 
4. Government Notification of Breach—Practically Speaking. 
   1. Determine what data was breached. 
   2. Has there been an actual “breach” that triggers notification under the particular states’ laws?
   3. Which laws require notification (disclosure) to the states’ attorneys general?
   4. Which laws require pre-notice of a breach notification?
   5. When must a breach notification be provided?
   6. How to disclose.
5. The Texas Data Breach Notification Law. 
   1. What is a “breach of system security”?
   2. What is “sensitive personal information”?
   3. Who does the law apply to?
   4. Who must be notified?
   5. When must the notification be given?
   6. How must notification be given?
   7. What is the penalty for failure notify?

UNDERSTANDING BASIC “DATA BREACH” FOUNDATIONS. 

1. Is an Event an “Incident” or “Breach”?
   1. Incident.
   2. Breach. 
   3. Is Ransomware a Breach or an Incident?
   4. Is Encryption a Blanket Safe Harbor?
2. Is an Event Caused by Criminal Actions or Negligence?
3. What is the Difference Between Reporting, Disclosing, and Notifying?
4. How are Breach Notification and Unauthorized Access of Computers Laws Related?

REPORTING CRIMINAL ACTS TO LAW ENFORCEMENT. 

1. Understanding the Role of Law Enforcement.
2. Which Law Enforcement Agency Do You Report To?
   1. Federal Law Enforcement. 
   2. State and Local Law Enforcement.
   3. When Will Law Enforcement Get Involved or Not Get Involved?
3. Benefits of Reporting to Law Enforcement. 
4. Dispelling the Myths of Reporting to Law Enforcement. 
5. Is Reporting to Law Enforcement Mandatory?
   1. State Data Breach Notification Laws. 
   2. DOJ Best Practices.
   3. FTC Guidance.
   4. NIST Guidance.
   5. U.S. Senate Requests to Yahoo.
   6. Credibility. 
6. How to Report a Cybersecurity Incident to Law Enforcement.
   1. Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government

APPENDIX A: CYBERSECURITY INCIDENT CHECKLIST.

APPENDIX B: TEXAS BREACH NOTIFICATION LAW.

APPENDIX C: BEST PRACTICES FOR REPORTING OF CYBER INCIDENTS.

APPENDIX D: CYBER INCIDENT REPORTING GUIDE.

INTRODUCTION.

Cybersecurity is an issue that evokes equal parts of fear and confusion for business leaders. Anyone who has been involved in a real data breach will easily understand why an effective graphical analogy for describing such an event is to imagine being in a building that is on fire. There is panic, there is fear, there is chaos, there is confusion. It is a crisis situation.

The Conundrum of Cybersecurity Law Schizophrenia.

One reason cybersecurity engenders so much fear is because of how uniquely this area of law, policy, and public perception treat organizations that have experienced data breaches. This is one of the few, if not only, situations where the victim of an illegal act is transformed into the wrongdoer. In the more typical scenario, an organization is attacked by an illegal act or, at a minimum an impermissible act, directed against its computer network. The wrongful act against the organization’s network causes harm to the organization. At that point in time, however, the organization then begins to be viewed as the wrongdoer when the focus of the blame shifts to the organization for allowing itself to succumb to the attack.

Unauthorized access to computers, often referred to as “hacking,” and data breach are two sides of the same coin and more often than not the organization is blamed for both. What is even more unfortunate is that companies’ primary legal vehicle for protecting against these kinds of misuses of their computer networks are the unauthorized access laws, primarily the federal Computer Fraud and Abuse Act[1] (CFAA) and the Texas’ Breach of Computer Security[2] (BCS) law, and there is a growing movement among those in the “no limit” crowd and “security research” crowd that seeks to substantially limit companies’ abilities to use these laws in most cases, especially those in which the misuse is by privileged users (insiders) which accounts for over 70% of all data breaches. This legal schizophrenia puts companies dead center in a conundrum in which there is no upside. Cybersecurity can be scary but it becomes far more dangerous when ignored.

The Importance of Being Prepared: “You Do Not Drown from Falling into the Water.”

While there is little that a company can do to change the cybersecurity law schizophrenia, there are things that companies can do to minimize the harm that results from cybersecurity incidents. Much of this chaos and confusion can be limited by having a written Cybersecurity Incident Response Plan that key players understand and has been practiced. Having such a Plan is essential. You do not wait until your building is on fire to start planning how to get out. Similarly, you should not wait until you are in the middle of a cybersecurity incident to start planning how your company will respond. You cannot plan for everything, but you can plan for a lot, and doing so removes a lot of the confusion and chaos and gives some order to how to approach and handle the situation. Consider this saying and then apply it to cybersecurity: “You do not drown by falling in the water; you drown by staying there.” Companies do not face catastrophic loss simply because they have a cybersecurity incident; they face catastrophic loss when they have not prepared and are unable to respond to or recover from a cybersecurity incident.

The Most Important Point of this Guide.

The laws are not optional. When there is a duty, as explained in this Guide, the duty is mandatory.

There is a grave misunderstanding among many business leaders who believe that when their company has had a data breach, notifying the affected individuals and disclosing to appropriate governmental regulators is optional. It is not. Unfortunately, the author encounters this on a regular basis. This problem is perpetuated by there being far too many lawyers who do not practice in the cybersecurity and privacy area of law but, without knowing, advise such clients that it is really not that serious and is being blown out of proportions. This advice is wrong and should qualify as malpractice.

If you need further convincing, ask yourself whether you believe that companies like Target, Home Depot, Neiman Marcus, Spec’s, Ashley Madison, and Yahoo aired their dirty laundry publicly solely because they believed it was the right thing to do. They had to – cybersecurity is a legal issue – the laws require that companies disclose this information and mandate how they disclose it, when they disclose it, what information they disclose, what they do for those affected, and to whom it must be disclosed.

Limited Scope of Article.

This article is limited in scope and is only intended to address United States state and federal requirements. It does not address international obligations, industry groups, or contractual obligations that frequently include reporting or notification requirements.

GOVERNMENT NOTIFICATION OF BREACH.

Government Notification of Breach—Technically Speaking.

In its narrow, technical sense, government notification of breach is not a particularly difficult or complicated process to explain. Because this article is focused on breaches limited to the United States, it involves when and how to notify the federal and state governments and regulatory agencies.

Tuma’s Cybersecurity Incident Checklist.

To see where reporting fits into the overall incident response process, review the Cybersecurity Incident Response Checklist (Appendix A). Reporting, disclosure, and notification are reflected in these steps: “Preliminarily determine legal obligations,” “Determine whether to notify law enforcement,” “Confirm notification / remediation obligations,” “Plan and time notification ‘drop’.”

Please note, this is only an abbreviated checklist. It is neither a comprehensive incident response policy nor an incident response plan and should not be substituted as such.

FTC Data Breach Response Guide.

The Federal Trade Commission (FTC) published a guide for responding to data breaches, Data Breach Response: A Guide for Business,[3] that recommends companies take the following steps:

Immediate Steps

Fix Vulnerabilities

Assemble a team of experts

Identify a data forensics team

Consult with legal counsel

Secure physical areas

Stop additional data loss

Remove improperly posted information from the web

Interview people who discovered the breach

Do not destroy evidence

Next Steps

Think about service providers

Check your network segmentation

Work with your forensics experts

Have a communications plan

Send Notification

Determine your legal requirements

Notify Law Enforcement

Did the breach involve electronic health information?

Health breach resources

Notify affected businesses

Notify individuals

Government Notification of Breach—Practically Speaking.

Here we will drill down a little deeper. Before going further, understand the difference between “reporting,” as in reporting a crime, “disclosure,” as in disclosing a breach to government regulators, and “notification,” as in providing notice of a breach to affected individuals. There is no rule that says this is how it is and, frankly, most seasoned professionals will use the words interchangeably and there is nothing wrong with doing so. However, for clarity and to lessen the confusion when explaining these concepts, this is how they will be used in this article. This issue is explained in greater detail in Section III.

Here are the basic steps that should be taken for a data breach response, which includes government reporting, to law enforcement, and government disclosure, to regulatory agencies.

Determine what data was breached.

The first step in planning a data breach response is to determine what data is believed to have been breached.

What type of data is it?

Determine what type of data it is. Look at the nature of the data to determine whether it was personally identifiable information (PII) which is what is covered by the state data breach notification laws; personal health information (PHI) which is covered by federal HIPAA and HITECH laws, as well as many state laws; customer data from financial institutions which is covered under the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA); or payment card data (PCI) which is covered by the Payment Card Industry (but is non-governmental industry standard and beyond the scope of this article).

Depending on the nature of the data, you may be required to disclose to one or more federal or state agencies, in addition to notifying the data subjects themselves (i.e., the people whose personal information was exposed).

Which laws apply?

Regulated industries may have unique and detailed notification requirements.

Companies operating in regulated industries should determine which regulatory agencies they are governed by and then research whether that particular agency has a notification requirement. If it does, which is likely, they must determine what the particular requirements are and comply with them. Some are obvious and well-known, most are not, and the intricacies of those requirements are voluminous and well beyond the scope of this article.

One of the more obvious is for the health care industry. For PHI breaches by a covered entity,[4] notice (disclosure) must be given to the Secretary of the United States Department of Health & Human Services (HHS) by going to the HHS website and filling out and electronically submitting a breach report form.[5] “If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.”[6]

State law applies in most breaches.

For breaches of all types of data you must determine where the data subjects reside to see which states data breach laws apply. Because there is no national uniform data breach notification law (or standard), the various federal or state laws and regulations determine what a company must do after it has had a data breach, including who must be notified. In most cases, it is the law of the state where the company is doing business and the law of the state or states where the individual data subjects reside that govern.

As of the time of this writing, 47 states, the District of Columbia, Puerto Rico, and the Virgin Islands have their own data breach notification laws and while most of those laws are fairly consistent in their requirements, there are quite a few differences in others, especially the states of Massachusetts and California which can be quite a bit different. Moreover, because of the importance of cybersecurity and data breach combined with the perpetual desire by legislators to show they are “doing something,” at any given time there are multiple proposed bills in multiple states that have the potential to change these laws at any given time.[7] “These breach laws typically have provisions that clarify who must comply, the type of information that is affected, what constitutes a breach, requirements for providing notice, and exemptions.”[8]

Regardless of how well one may believe they know the “law of data breach” or how many breach responses they have guided clients through, it would be negligent to not review the current state of the law and the proposed bills in the relevant states before guiding their company or client through a new data breach response. Fortunately, several large law firms have prepared charts of state data breach notification laws that are available on the Internet and can be a valuable resource.[9] Use them with caution, however, because they are not continuously updated so you should always verify that the laws have not changed from the time the charts were last updated until the time of your breach response.

Has there been an actual “breach” that triggers notification under the particular states’ laws?

The word “breach” is often used to describe computer events or incidents (see the sections below for more explanation) but the meaning of “breach” itself is more of a legal definition than anything else. Different states define a “breach” as being different things so it is important that you review the laws of the relevant jurisdictions to determine if there has been a data breach that triggers notification under those laws. Determining what constitutes a “breach” is explained in greater detail in Section III. Pay particular attention to the discussion of whether there is an encryption safe harbor which is no longer an easy answer.

Which laws require notification (disclosure) to the states’ attorneys general?

The following states require private companies to provide some form of disclosure to their state attorney general or other state agency, in various forms and under various circumstances (often depending on the number of residents affected): Alaska, California, Connecticut, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Oregon, Puerto Rico, Rhode Island, South Carolina, Vermont, Virginia, and Washington. In most cases, the notifications are sent to the government simultaneously with sending them to the affected individuals.

Which laws require pre-notice of a breach notification?

Some states require private companies to provide advance disclosure to their state attorney general or other state agency well before the notifications are provided to the affected individuals. The following states require such pre-disclosure to a governmental agency before sending out a breach notification to its residents:  California, Connecticut, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, and Washington.

When must a breach notification be provided?

Also, many states require notifying the affected individuals “in the most expedient time possible,” “without unreasonable delay,” or within 45 days (OH, RI, TN, VT, WA, WI), within 30 days (FL), or within 7 days of completing the investigation (MN).

Virtually all state and federal governmental branches and agencies provide that notifications can be delayed if such a delay is requested by law enforcement. In some cases, this is one more reason why it is beneficial to report cyber incidents to law enforcement, which will be addressed in detail in Section IV.

How to disclose.

In most situations government notification of a breach involves disclosing to state attorneys general[10] or other state agencies. This is usually done by sending a “sample” or “template” of the notification that will be provided to the affected individuals, usually by email, but sometimes via designated reporting portals. Some states require using a particular form, such as New York[11] and North Carolina.[12]

The Texas Data Breach Notification Law.

The Texas data breach notification law is titled Notification Required Following Breach of Security of Computerized Data[13] (Appendix B) and provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

Regarding insiders, the law specifically states that “[g]ood faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner.”[5] In other words, if an insider is authorized to access company SPI for a valid business purpose, and does so, but later uses or discloses that information in an unauthorized manner, it is a data breach under the Texas breach notification statute. See Yes, Texas’ breach notification law is triggered by insider misuse.

What is “sensitive personal information”?

The Texas breach notification law only applies to a narrower subset of what is often referred to as personally identifiable information, which Texas defines as “sensitive personal information,” and is relatively detailed and specific such that it should be read carefully. A couple of general points will provide an overview of what is and is not protected:

• Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
• Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
• Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

How must notification be given?

Generally speaking, under Section 521.053 of the Texas breach notification law the default method for providing notice is in writing, mailed to the individual’s last known address. Electronic notice is permitted in two circumstances: (1) If the individual has previously consented to receiving such notifications electronically, in accordance with 15 U.S.C. Section 7001; or (2) In situations where the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the person does not have sufficient contact information. In the latter circumstance, notice may also be given by conspicuous posting of the notice on the person’s website or notice published in or broadcast on major statewide media.

What is the penalty for failure notify?

Section 521.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

There is a lot of confusion in the world of “data breach” and it is only growing. Now that you have a basic understanding of the reporting process, it is time to dig a bit deeper into the nuances that go into determining what, if anything, needs to be reported and, if it does, when and to whom. The best place to begin is by learning some key foundational principles.

UNDERSTANDING BASIC “DATA BREACH” FOUNDATIONS.

When a company has a cybersecurity or privacy event that potentially jeopardizes the confidentiality, integrity, or availability of information, it may need to do several things that seem to be quite similar and can create confusion as to which does what. It may need to report the event to law enforcement, disclose it to state and federal regulators, and notify data subjects whose information was involved. While they all sound similar, each is different and has a different purpose. In order to understand these distinctions, it is important to understand some foundational principles.

Is an Event an “Incident” or “Breach”?

The first place to start is by determining whether the organization has even experienced a data breach. Or, has it experienced a cybersecurity incident? Facially this may appear to be a question of semantics but the implications can be substantial. All breaches are incidents but not all incidents are breaches.

The words “data breach” are often used generically to describe all cybersecurity events without regard to whether any data was actually breached. Cybersecurity “incidents” is a better way to generically describe these events because it is broader and can encompass both incidents where data has been compromised and those where data was not compromised.

The National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide[14] is an official publication of the United States government. Perhaps more importantly, federal regulatory agencies tend to look to NIST cybersecurity standards when evaluating companies’ cybersecurity practices. The Federal Trade Commission (FTC) has recently gone as far as publishing how the NIST cybersecurity framework meshes together with its own data security program.[15] Companies would be well advised to carefully observe the NIST Cybersecurity Framework.

Incident.

Incident is defined by the NIST Cybersecurity Framework as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”[16] The United States Department of Justice provides a more detailed definition of incident as “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, acceptable use policies or standard computer security practices.”[17]

Breach.

Breach is not defined by the NIST Cybersecurity Framework, however, the DOJ provides a definition: “The term “breach” is used to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to information, whether physical or electronic. It includes both intrusions (from outside the organization) and misuse (from within the organization).”[18]

Incident is a broader term to describe an event that actually or potentially jeopardizes the confidentiality, integrity, or availability of a computer network or the information stored on or transmitted by the computer network. Breach is a narrower term that describes the actual loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access of information – data. For example, an incident that results in unauthorized acquisition of personally identifiable information in unencrypted form would be a breach. If the information were encrypted and the means for decrypting were not available, it would not be a breach[19] though it would still be an incident.

Is Ransomware a Breach or an Incident?

Crypto style ransomware has created ambiguity between traditional distinctions of incidents and breaches. There are many variations of this kind of malware which all have the “defining characteristic that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.”[20] This can be devastating as it can encrypt the data on a computer, computer network, any attached drives, backup drives, and potentially other computers on the network.[21] Given that this data was typically only encrypted and made unavailable to the user but was not actually obtained by the bad actor, most people did not consider it to be a breach of the data.[22]

In early July 2016, the U.S. Department of Health and Human Services (HHS) issued a directive on ransomware that classified it as a presumptive breach under the Health Insurance Portability and Accountability Act (HIPAA) for two reasons.[23] First, because there are some variants of ransomware that also destroys or exfiltrates data or works in conjunction with other malware that does so. Second, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”[24] Under the HHS guidance, there is a presumption that it is a breach, however, there is a multifactor assessment that can be used to show circumstances where it may not be considered a breach.

As of the drafting date, the HHS directive is the only major one that has publicly classified ransomware as a breach and that only applies to situations dealing with protected health information (PHI) under HIPAA. Thus, ransomware that attacks PHI will be presumed to be a breach whereas ransomware that attacks other forms of information, including what is commonly understood as being personally identifiable information (PII) is generally not considered a breach. Of course, there may be exceptions, it could change at any time, and it will likely evolve.

Is Encryption a Blanket Safe Harbor?

Picking up on HHS’ directives regarding encrypted data Ransomware, there is a much larger question of whether encrypted data is still afforded a blanket safe harbor protection from breach notification requirements under state law. Generally speaking, most states were consistent in treating data that was adequately encrypted before it was “breached” is falling within a safe harbor that did not require notification.

On July 1, 2016, Tennessee became the first state to change course on this issue by amending its breach notification statute to potentially require notification regardless of whether the data was encrypted. Under the Tennessee law, encryption is no longer a blanket safe harbor but is now one aspect to be considered in performing a risk assessment to determine whether notification is necessary.[25] One can anticipate tat this issue will evolve as well.

Is an Event Caused by Criminal Actions or Negligence?

There are two primary causes of breach events: (1) Intentional wrongdoing such as when an outside “hacker” penetrates the network and steals information or, in Texas and the Federal Fifth Circuit, when an employee intentionally accesses and takes forbidden information for his own purposes, both of which are generally considered criminal act;[26] or (2) Carelessness or negligence such as when a company insider misplaces an unencrypted USB thumb drive containing PII information.

Whether an event is considered to be an incident or a breach is determined by the nature of the event, not what caused it. Whether an event is considered to be criminal or negligence is determined by the actions that caused the event. Some incidents will be criminal but not a breach; some breaches will be negligence but not criminal. Both of the situations described above are breaches[27] though the first was caused by a criminal act and the second was a result of negligence.

Criminal actions should be reported to law enforcement. There may be situations where a negligence-based situation should be reported to law enforcement but this will be determined on a case by case basis..

What is the Difference Between Reporting, Disclosing, and Notifying?

In the world of cybersecurity incidents and data breaches, the terms “reporting,” “disclosure,” and “notification” are often used interchangeably which can create a significant amount of confusion. While there is no standard definition or, to the author’s knowledge, right or wrong way of using them, it is important to be clear about which is which when trying to explain and understand the concepts discussed herein. Most often the terms are used in the following way and, for purposes of clarity, that is how these terms will be used throughout this article:

• Reporting is used to describe reporting a crime to law enforcement.
• Disclosure is used to describe notifying a state or federal agencies of a data breach.
• Notification is used to describe notifying the data subjects, that is, the individual persons whose information was compromised in a data breach.

How are Breach Notification and Unauthorized Access of Computers Laws Related?

Computer misuse and data breach are opposite sides of the same coin that are intrinsically related. In most scenarios, a company starts out being the victim of a computer misuse, whether intentionally for a criminal act, or through an act of negligence, by having its computers used in an inappropriate way. In this, it is the victim. Then, however, in the eyes of the law, public policy, and public perception, the company is transformed into into the wrongdoer because it allowed itself to be a victim of such misuse. A good example of this can be seen in the case of Shopify, which had two rogue employees access merchant transaction records beyond their authorization and led to Shopify providing breach notifications. The Shopify situation came on the heels of a similar event with Instacart that likewise triggered breach notifications. Legally speaking, the unauthorized access of computers laws are what are intended to protect the company against such misuses. The breach notification laws are what sets forth the requirements for what the company must do after it has sustained such an attack.

REPORTING CRIMINAL ACTS TO LAW ENFORCEMENT.

The author firmly believes that in all but (perhaps) the most extraordinary of circumstances companies should report cybersecurity incidents that are criminal acts to law enforcement. There are several issues that need to be examined when it comes to reporting such incidents.

Understanding the Role of Law Enforcement.

Law enforcement is not your company’s cyber nanny. Reporting a cybersecurity incident to law enforcement is not a substitute for fulfilling your company’s obligations to take all reasonable measures to contain the incident, investigate the incident, remediate the incident, and notify in accordance with the rules discussed above. Whether reporting an incident to law enforcement or not, companies must faithfully fulfill all of those obligations.

Law enforcement is not able to aggressively pursue every case, or, even take every case. Given how prolific cybercrime is and the limited resources available to law enforcement, it is important that law enforcement be strategic in how it allocates those limited resources. This means that law enforcement is not idly sitting by waiting for your company to report its case so that they can then go pounce on the bad guys. But, that does not mean your company should not report the case to law enforcement officials.

Law enforcement’s primary role is to protect society, investigate crimes, and enforce criminal law, not swoop in and save companies from all of the harms that may befall them via the Internet or leave no stone unturned in pursuing their attackers and collecting their money. But, in the author’s experience, law enforcement will do everything that is reasonably within their power in appropriate circumstances in order to help victim companies recover.

While law enforcement may often be the best ally and most effective resource a company has in investigating and recovering funds or information lost from a cybersecurity incident, it is important to always remember that is not law enforcement’s primary responsibility. Law enforcement’s primary role is to catch the bad guys. That is, its role is to enforce the laws, investigate crimes, and pursue criminals and bring them to justice. Many times, law enforcement’s pursuit of this role works hand-in-hand with the company’s objectives of learning how an incident occurred and recovering information that was taken.

When criminal actions may have caused a cybersecurity incident, such incident should be reported to law enforcement as soon as possible. These actions are crimes that are no different than if someone were robbed on the street. They should be treated as such.

Which Law Enforcement Agency Do You Report To?

Federal Law Enforcement.

In most cases, federal law enforcement authorities are going to have the best capabilities and resources to pursue cybersecurity incidents. The United States Secret Service (USSS) and Federal Bureau of Investigation (FBI) are designated as having concurrent jurisdiction to investigate “computer fraud” incidents under the Computer Fraud and Abuse Act[28] and the FBI is designated as having primary jurisdiction over certain areas involving espionage, foreign counterintelligence, national defense, foreign relations, or certain restricted data. In reality, however, both the USSS and FBI seem to work cybersecurity incident cases without getting too caught up in the jurisdictional distinctions and both are great resources to use for reporting cybersecurity incidents to law enforcement.

In the “how to” section below, there will be further discussion of the process of reporting these incidents.

State and Local Law Enforcement.

Some state data breach notification laws reference reporting to law enforcement and obtaining a “police report” as part of the notification process. Many times, the simplest and easiest way to do this is to report the cybersecurity incident to state or local law enforcement authorities.

Oftentimes this is a perfunctory matter that is done to ensure compliance with this “check the box” process but nothing substantive really comes from making such a report. A key reason for this is because most state and local law enforcement departments do not (yet) have the training, equipment, resources, or manpower available to the federal agencies such as the USSS and FBI.

On the other hand, because of the overwhelming volume of cybersecurity incidents that the USSS and FBI are actively pursuing, it is often times easier to pique the interest of state or local law enforcement in pursuing incidents that may not otherwise be substantial enough to be picked up by the federal agencies. It is advisable to evaluate reporting it all levels and then make a determination as to which is most appropriate for the given situation. This is especially true for those in larger metropolitan areas where the local police departments have substantially more resources available to them than those in some of the smaller or more rural jurisdictions.

For those interested in further exploring working with local law enforcement on cybersecurity incidents, The Role of Local Law Enforcement Agencies in Preventing and Investigating Cybercrime[29] is an excellent guide that discusses this issue in great detail.

The Texas Department of Public Safety’s Computer Information Technology and Electronic Crime (CITEC) Unit outlines steps for reporting computer hacking to Texas authorities.[30]

The remainder of this article will focus on working with federal law enforcement.

When Will Law Enforcement Get Involved or Not Get Involved?

There is often a good deal of discussion about whether law enforcement will get involved in certain types of cases. At the federal level, there is frequently a conflict in the information about whether there are minimum thresholds required before law enforcement will take a cybersecurity incident case. The author has been given different answers to this question by federal law enforcement authorities in different areas of the United States on the question of whether the losses in a case need to exceed a certain value before federal authorities will consider opening an investigation. What is clear is that cases that involve threats to national security, public health and safety, and critical infrastructure will be of high interest to federal law enforcement authorities.

On the other hand, there are cases that both federal and state and local law enforcement authorities will usually avoid. Those are the cases where it appears that parties are trying to use law enforcement’s presence in the case as a threat or leverage against other parties in an existing dispute. For example, when there is existing litigation between parties, it would take an extraordinary case with a significant overt criminal act to entice law enforcement to consider opening an investigation into such an allegation.

The reason for this is obvious: law enforcement does not want to be used, or be perceived as allowing itself to be used, as a tool to give one party and unfair advantage or negotiating advantage over the other party. To a lesser degree, the same can be said of some personal disputes and family disputes, such as where one spouse is asserting “computer hacking” allegations against the other spouse in more trivial situations that can arise in such contexts. While the alleged criminal conduct may have technically violated the relevant statute and could very well give rise to a civil cause of action, law enforcement officials will often tread more carefully in such areas before opening an investigation.

Benefits of Reporting to Law Enforcement.

There are a multitude of reasons why it is beneficial to report to law enforcement cybersecurity incidents that may have been criminal in nature. The United States Department of Justice (DOJ) contributed a chapter to a book in which it explains many of the benefits of working with law enforcement:

Why work with law enforcement?

The first question that may come to mind in the hours after a cyber incident is why companies should work with law enforcement at all. After all, it introduces another source of management challenges to an already difficult working environment. However, working with law enforcement can have significant benefits:

• Agencies can compel third parties to disclose data (such as connection logs) necessary to understanding how the incident took place, which can help a company better protect itself.
• Investigators can work with foreign counterparts to obtain assistance that may be otherwise impossible.
• Early reporting to in cooperation with law enforcement will likely be favorably considered when a company’s responses subsequently examined by regulators, shareholders, the public, and other outside parties.
• Law enforcement may be able to secure brief delays in breach reporting requirements so that they can pursue active leads.
• A successful prosecution prevents the criminal from causing further damage in may deter others from trying.
• Information shared with investigators may help protect other victims, or even other parts of the same organization, from further loss and damage.

Effective partnership with law enforcement can be built into an overall response plan, especially when companies understand law enforcement’s priorities and responsibilities.[31]

The aforementioned chapter also has excellent advice on best practices for preparing to work with law enforcement, how to reach authorities for assistance, and what to expect when working with law enforcement, among other valuable information.

Dispelling the Myths of Reporting to Law Enforcement.

Unfortunately, there is a lot of misinformation in the legal community when it comes to reporting cybersecurity incidents to law enforcement. Much of this comes from the generally cautious nature of attorneys and their instincts to not involve law enforcement unless necessary, their training to never volunteer information and only answer the questions asked.  This is magnified by concerns over bad things that can happen when someone voluntarily shares information with law enforcement which is why the author’s law school Evidence professor’s video, Don’t Talk to Cops, went viral on YouTube.[32]

Unfortunately, most of these concerns are premised on those that arise from situations where the person talking to law enforcement is the suspect or accused of committing the act being investigated. That is not the case here and it is why answering the question of “how do you notify the government of a breach” is not nearly as simple of a question as it may seem. Referring back to the Conundrum of Cybersecurity Law Schizophrenia discussed in Section I. A., this is part of the reason why such a detailed explanation of this issue is important. This is also why it is important to understand the distinctions discussed in Section III. C. Reporting a potential criminal cybersecurity incident to law enforcement is not the same thing as disclosing a data breach to a federal or state agency. Consider the timeline of events—the former occurs almost immediately after the incident is discovered whereas the latter does not occur until after there has been at least some investigation and it is been determined that breach disclosure and notification is required under the relevant law.

As mentioned above, the author has represented clients with cybersecurity issues for nearly 2 decades and during this time has guided clients through numerous cybersecurity incidents where the incidents were reported to law enforcement. The author has never regretted reporting one of these incidents to law enforcement. Based on the author’s own experiences as well as numerous discussions with law enforcement authorities about this subject, when a company reports a cybersecurity incident to law enforcement, law enforcement is there to help the company and still treats it as the victim of a crime— not the criminal actor— that often occurs later, by other agencies as well is the public under the Conundrum of Cybersecurity Law Schizophrenia. More importantly, law enforcement authorities in this situation do not “tattle” to other federal or state agencies about what has been reported to them or the results of their investigation.

Law enforcement respects the company’s need to keep the incident confidential and does not disclose the incident to the public or the press under normal circumstances. The working with law enforcement book chapter addresses this issue:

Law enforcement agencies, including the FBI and the U.S. Secret Service, prioritize conducting cyber investigations in ways that limit disruptions to a victim company’s normal operations. They work cooperatively and discreetly with victims, and the employee investigative measures that avoid computer downtime or displacement of a company’s employees. If they must use an investigative measure likely to inconvenience a victim, they try to minimize the duration and scope of the disruption.

Law enforcement agencies also conduct their investigations with discretion and work with a victim company to avoid unwarranted disclosure of information. They attempt to coordinate statements to the news media concerning the incident with a victim company to ensure that information harmful to a company’s interest is not needlessly disclosed and work with companies on timing. Law enforcement also has tools, including obtaining judicial protective orders, that can protect sensitive information from disclosure during investigations and prosecutions.

If an investigation is successful and an indictment is contemplated, prosecutors will consider victims among other factors when making charging decisions. If a particular charge would play sensitive company information at risk, for example, prosecutors may seek protection from the court or, if appropriate, use alternative charges that can reduce that risk, while still serving the overall interests of justice.[33]

Indeed, the author has regularly been advised by law enforcement personnel that, if an incident has a particularly high level of sensitivity and there is concern over whether it should be reported, contact them as legal counsel for an undisclosed client and discuss the situation in terms of a hypothetical situation without disclosing the actual name of particular identifying characteristics of the client.

Finally, there is often concern among both attorneys and company executives that if they report the incident to law enforcement, they will take over the company’s investigation, network, and business operations. While these concerns are justified in situations where the company is the target of a criminal investigation or a regulatory enforcement action, that is not the case in situations where the company was the victim of a cybersecurity incident and is reporting the crime in a plea for help. Law enforcement works with the company and, while they will request access to certain information and assets for purposes of their investigation, they work carefully to do so in a nonintrusive manner so that they do not cause further harm to the company through the investigatory process.

Is Reporting to Law Enforcement Mandatory?

This is another question that does not have an easy answer. Technically speaking, “no,” there are no generally applicable blackletter laws that say “companies must report cybersecurity incidents to law enforcement or else face a penalty.” Practically speaking, however, the answer is not so clear and slides much further along the scale towards the side of “yes” though it cannot yet be said to be “yes.”

State Data Breach Notification Laws.

Many of the state data breach notification laws reference reporting incidents causing data breaches to law enforcement. At a minimum, this is an implicit requirement of the statutes, and often times an overt requirement.

DOJ Best Practices.

The DOJ published Best Practices for Victim Response and Reporting of Cyber Incidents[34] (Appendix C) as an official government publication which encourages companies to engage with law enforcement before an incident[35] as well as when an incident occurs.[36] It is worth noting that this publication has an excellent Cyber Incident Preparedness Checklist in its appendix.[37]

FTC Guidance.

The FTC has become the primary enforcer of cybersecurity diligence among companies in the United States and, when it views something as being important, it is important. The FTC’s official publication, Data Breach Response: A Guide for Business, states that companies should report to law enforcement:

Call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police aren’t familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service.[38]

In May 2015, the FTC published a blog post in which it explained how important it views reporting of cybersecurity incidents to law enforcement:

We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.[39]

NIST Guidance.

The NIST Computer Security Incident Handling Guide^[40] is an official publication of the United States government and, as explained previously, the FTC places a substantial amount of credibility in what NIST recommends. Section 2.3.4.2 “Law Enforcement” of the NIST Guide clearly recommends reporting to law enforcement: “the incident response team should become acquainted with its various law enforcement representatives before an incident occurs to discuss conditions under which incidents should be reported to them, how the reporting should be performed, what evidence should be collected, and how it should be collected.”[41]

U.S. Senate Requests to Yahoo.

Several United States Senators have demonstrated that they too consider reporting to law enforcement to be an important step for companies to take. In September 2016, Yahoo disclosed that it had a data breach in 2014. Many were concerned that the fact that it did not provide notification of this breach until almost 2 years after it had occurred in this gave rise to an inquiry by six United States Senators. On September 27, 2016, though Senators sent a letter to the CEO of Yahoo posing 8 questions to which they required answers. The first question was “When and how did Yahoo first learned that its users’ information may have been compromised? Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers.”[42]

Credibility.

Finally, companies should report to law enforcement to show they are availing themselves of all available resources to protect against the past and potentially ongoing or future harm from the attackers. Many companies try to deflect negative attention away from their data breaches by arguing that they were victimized by “an unprecedented and sophisticated attack” that they could not have been expected to be able to defend against. At times, they will even claim to have been victims of “state sponsored” attacks that some will argue no private company should be expected to be able to defend against.

Using Yahoo as an example, in its breach notification letter, Yahoo used the words “state-sponsored actor” twice in the first paragraph and twice in the fourth paragraph—there were only four substantive paragraphs in the letter.[43] Clearly Yahoo was trying to subtly invokes the “it’s not our fault, we were the victim of a state-sponsored actor attacking us” defense. One can not blame Yahoo, it works. However, it only works when you can demonstrate that you have used your best reasonable efforts to defend against such attacks. In a practical sense, it is difficult to imagine one making such an argument with any level of credibility when they did not report the attack to law enforcement and seek law enforcement’s assistance, through its skills, training, equipment, and assets, to help it in such a situation.

How to Report a Cybersecurity Incident to Law Enforcement.

Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government

The federal government has made reporting to law enforcement very easy for anyone to do. Understanding that it can sometimes be confusing trying to determine which agency to report to or how to make the report, in September 2016, the U.S. Department of Homeland Security published Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government[44] (Reporting Guide) (Appendix D). This Reporting Guide is less than two pages and identifies which Key Federal Point of Contact to report to depending upon the nature of the threat and provides the name and contact information for the respective agencies.

 

APPENDIX A: CYBERSECURITY INCIDENT CHECKLIST

 

APPENDIX B: TEXAS BREACH NOTIFICATION LAW

 

APPENDIX C: BEST PRACTICES FOR REPORTING OF CYBER INCIDENTS

 

APPENDIX D: CYBER INCIDENT REPORTING GUIDE

CITATIONS

[1] Computer Fraud and Abuse Act of 1986, Pub. L. No. 99–474, 100 Stat. 1213 (codified at 18 U.S.C. § 1030 (2008)).

[2] Tex. Penal Code § 33.02. Texas’ Breach of Computer Security is a criminal law that has a civil cause of action if the conduct constituting the violation was committed knowingly or intentionally, which is Chapter 143 of the Texas Civil Practice and Remedies Code, titled the Harmful Access by Computer Act (HACA). See Tex. Civ. Prac. & Rem. Code § 143.001.

[3] Federal Trade Commission, Data Breach Response: A Guide for Business, https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf.

[4] This is different than that for a business associate which is required to notify the covered entity.

[5] HHS Health Information Privacy, Submitting Notice of a Breach to the Secretary, https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html

[6] Id.

[7] See National Conference of State Legislatures, Cybersecurity Legislation 2016 (last visited Nov. 2, 2016) http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2016.aspx

[8] Id.

[9] A few of the author’s favorites are: Baker Hostetler, Data Breach Charts (last visited Jan. 26, 2018) https://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf ;  Mintz Levin, State Data Security Breach Notification Laws (last visited Jan. 26, 2018) https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf; and Perkins Coie, Security Breach Notification Chart (last visited Jan. 26, 2018) https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html.

[10] The state attorneys general usually have the primary role in enforcing these laws. In the author’s experience, there are often predictable questions they will ask so you should be prepared for these. See Business Cybersecurity Law, 3 Important Questions the State Attorneys General Will Ask Your Company Following A Data Breach, https://shawnetuma.com/2014/05/28/3-important-questions-the-state-attorneys-general-will-ask-your-company-following-a-data-breach/

[11] New York State Security Breach Reporting Form, https://its.ny.gov/sites/default/files/documents/Business-Data-Breach-Form.pdf

[12] North Carolina Department of Justice, Report a Security Breach, http://www.ncdoj.gov/getdoc/81eda50e-8feb-4764-adca-b5c47f211612/Report-a-Security-Breach.aspx

[13] Texas Bus. & Comm. Code § 521.053.

[14] National Institute of Standards and Technology, Computer Security Incident Handling Guide, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf [hereinafter, NIST Cybersecurity Framework].

[15] See Andrea Arias, The NIST Cybersecurity Framework and the FTC, Federal Trade Commission (Aug. 31, 2016) https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc.

[16] NIST Cybersecurity Framework p.6.

[17] United States Department of Justice, DOJ Instruction: Incident Response Procedures for Data Breaches at 5 (approved Aug. 6, 2013)          https://www.justice.gov/sites/default/files/opcl/docs/breach-procedures.pdf.

[18] United States Department of Justice, DOJ Instruction: Incident Response Procedures for Data Breaches at 4 (approved Aug. 6, 2013)  https://www.justice.gov/sites/default/files/opcl/docs/breach-procedures.pdf.

[19] There are exceptions to this, as explained elsewhere herein.

[20] FACT SHEET; Ransomware and HIPAA, U.S. Department of Health & Human Services p. 1 (visited Oct. 1, 2016), https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.

[21] Incidents of Ransomware on the Rise, FBI News (Apr. 29, 2016),  https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise.

[22] How to Interpret HHS Guidance on Ransomware as a HIPAA Breach, Paloalto Networks (July 25, 2016), http://researchcenter.paloaltonetworks.com/2016/07/how-to-interpret-hhs-guidance-on-ransomware-as-a-hipaa-breach/.

[23] FACT SHEET; Ransomware and HIPAA, U.S. Department of Health & Human Services p. 1 (visited Oct. 1, 2016), https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.

[24] Id. at 5-6.

[25] David M. Brown, Tennessee Revamps Its State Data Breach Notification Statute, Data Privacy Monitor (Apr. 1, 2016) https://www.dataprivacymonitor.com/data-breach-notification-laws/tennessee-revamps-its-state-data-breach-notification-statute/.

[26] Cite hacking paper

[27] The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.” Section 521.053 of the Texas Business and Commerce Code. See Texas’ Amended Data Breach Notification Law, Cybersecurity Business Law https://shawnetuma.com/2012/11/14/texas-amended-data-breach-notification-law/

[28] 18 U.S.C. § 1030 (d) (2008)).

[29] Critical Issues in Policing Series, The Role of Local Law Enforcement Agencies in Preventing and Investigating Cybercrime, http://www.policeforum.org/assets/docs/Critical_Issues_Series_2/the%20role%20of%20local%20law%20enforcement%20agencies%20in%20preventing%20and%20investigating%20cybercrime%202014.pdf .

[30] Texas Department of Public Safety, Computer Information Technology and Electronic Crime (CITEC) Unit, http://www.txdps.state.tx.us/CriminalInvestigations/citecUnit.htm.

[31] Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers, Working with Law Enforcement in Cyber Investigations (p. 237) https://www.securityroundtable.org/wp-content/uploads/2015/09/Cybersecurity-9780996498203-no_marks.pdf

[32] Vice, A Law Professor Explains Why You Should Never Talk to Police (Sept. 20, 2016) http://www.vice.com/read/law-professor-police-interrogation-law-constitution-survival.

[33] Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers, Working with Law Enforcement in Cyber Investigations (p. 237) https://www.securityroundtable.org/wp-content/uploads/2015/09/Cybersecurity-9780996498203-no_marks.pdf

[34] DOJ, Best Practices for Victim Response and Reporting of Cyber Incidents, https://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents2.pdf .

[35] Id. at 5.

[36] Id. at 10.

[37] Id. at 14.

[38] Federal Trade Commission, Data Breach Response: A Guide for Business, https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf.

[39] FTC, If the FTC Comes to Call, (May 20, 2015) https://www.ftc.gov/news-events/blogs/business-blog/2015/05/if-ftc-comes-call.

[40] National Institute of Standards and Technology, Computer Security Incident Handling Guide, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf [hereinafter, NIST Cybersecurity Framework].

[41] NIST Guide p. 11.

[42] U.S. Senator’s Letter to Yahoo Inc.’s CEO, Sept. 27, 3016, https://www.leahy.senate.gov/imo/media/doc/9-27-16%20Yahoo%20Breach%20Letter.pdf.

[43] Cybersecurity Business Law, Yahoo Data Breach – Some Facts & Questions (i.e., was it really the Russians?) (Sept. 23, 2016) https://shawnetuma.com/2016/09/23/yahoo-data-breach-some-facts-some-questions-i-e-was-it-really-the-russians/.

[44] U.S. Department of Homeland Security, Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government, https://www.dhs.gov/publication/cyber-incident-reporting-unified-message-reporting-federal-government.