Following a cyber-attack or data breach, the C-Suite must make a number of crucial decisions for the well-being of both the company and its customers. One of the most difficult questions, especially due to recent legislation, is whether or not to call the authorities. Bryan Rose, managing director with consulting firm Stroz Friedberg, explained at a recent cyberSecure conference that calling the feds could impact the company an either a negative or beneficial way, depending on the circumstances. Will the public perceive the breach as an act of negligence or will it view the company as the victim of the breach? Will the feds attempt to intervene in an intruding way and hold the organization liable for inadequate cybersecurity practices? Rose also recommends thinking about the breach from a public relations perspective. “If it is a private breach, the company may not want to report it because of the possibility of leaks, not from the FBI, but possibly from other entities.” Delaying notification to the feds and customers could be crucial to the investigation by helping the organization determine the source of the attack. Nonetheless, when responding to a breach, it is imperative that a company first comply with the data breach notification laws, as the type of information accessed may be legally bound to reporting requirements.
The Feds, however, have different recommendations when responding to a breach – they always advise an organization to notify authorities anytime a breach occurs. Richard Jacobs, assistant special agent in charge of the cyber branch in New York for the FBI said they always want a phone call. “Your breach might be connected to a dozen others and help us paint a picture of the criminals. The FBI’s role is to get the bad guys out from behind the keyboard and into jail. If we don’t neutralize those responsible, they will come back and attack again and again.” He added that reporting a breach to regulators is different than reporting to the FBI. The FBI “is not responsible for turning information over to the regulators,” he explained. While hospitals, financial institutions and other businesses are required to report a cyber-attack to federal regulators within 30 days of an attack, the FBI has the power to issue a “safe harbor” letter, allowing more time for the investigation, before reporting the breach to regulators. The FBI believes that they can provide invaluable expertise when responding to a data breach, and that organizations should not be afraid to come to them first.