Justice Department Updates Best Practices for Cybersecurity

In September, the U.S. Department of Justice’s Cybersecurity Unit, Computer Crime & Intellectual Property Section updated its Best Practices for Victim Response and Reporting of Cyber Incidents. The updated guidance (which is not intended to have any regulatory effect) emphasizes the importance of planning a response before a data breach, ransomware threat or other cyber incident occurs.

New in this revised guidance are considerations related to ransomware, information sharing under the Cybersecurity Information Sharing Act of 2015 (CISA), cloud computing and working with cyber incident response firms.

The guidance is intended to share experiences from federal investigators, prosecutors and private sector companies that have been involved in cyber incidents.  Included in the guidance is a “Cyber Incident Preparedness Checklist” with tips for procedures to employ before a cyber incident and what to do after one occurs.

Highlights include the following tips:

• Have Authorization in Place to Permit Network Monitoring

As a result of CISA, private entities now have broad authority to conduct monitoring of their own networks, and a third party’s networks (with consent). CISA preempts contrary state laws and overrides conflicting laws. CISA also provides protection to private entities against a legal action related to cybersecurity monitoring conducted pursuant to CISA. Note that CISA authorizes monitoring only for “cybersecurity purposes,” which is defined as for the “purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” Thus, CISA does not authorize monitoring to support an investigation for employee misconduct that has no relationship to a cybersecurity threat.

• Educate Senior Management about the Threat

Ensure that a common understanding of the threats (data breach and ransomware attacks for instance) is shared among senior management, the board of trustees and any other governing body making decisions and setting priorities for the company. Regular briefings are advisable as well as making available legal counsel familiar with technology and cyber incident management.

• Get Acquainted with Local Law Enforcement before an Incident

Among the useful tips is to establish a relationship with local law enforcement before having the need to seek their help for a cyber incident. That includes setting up a point of contact and working to develop a mutually beneficial relationship. Some local law enforcement agencies have outreach programs and personnel expressly for this purpose.

• At a Minimum, Set Up Basic Security Procedures

The guidance notes that, at a minimum, commonsense cybersecurity practices should be instituted. These include establishing a reasonable patch management program to prevent intrusions of known software vulnerabilities; limiting the availability of data internally; developing reasonable password-management procedures and employing multi-factor authentication systems; setting up some mechanism of perimeter defense, such as a firewall; and maintaining copies of server logs.

To review the complete guidance update, visit: https://www.justice.gov/criminal-ccips/file/1096971/download