You’ve Been Data Breached – Is the Government Your Friend or Foe?
You have just been hacked. Precious information has just been stolen from you. It’s theft and you are the victim. You would think your immediate action is call the appropriate law enforcement authorities. Yet many organizations choose not to call the authorities. While many argue the benefits of involving the proper authorities outweighs the risk, there are reasons companies chose to keep the breach out of the hands of the government. Below are some pros and cons for each side of the coin:
Involving the Government During a Data Breach
Here are the advantages for immediately involving the proper authorities:
- Depending on your industry, you may have a regulatory requirement to contact the authorities.
- If you have cyber insurance, your policy may mandate that the proper authorities are contacted immediately or it may nullify the policy.
- The federal authorities have specialists designed to help you. You are victim and they can help find the source of the breach. Based on previous cases they have seen, they may be able to tell you what to expect next so you can adequately prepare.
- It helps the public at large for the government to know about as many breaches as possible so they can detect patterns and possibly prevent future attacks and/or make arrests.
- The information stolen from you might soon appear for sale on some underground forums (like the dark net) under surveillance by the authorities. By knowing the information, they may find your stolen information and this could lead them to those that attacked your company’s network.
Keeping a Data Breach Private
Below are reasons to keep a breach private and not involve the authorities:
- If the government is involved they will need to get access to your systems to find the breach. They now have access to all your data, which means any confidential data or documents you may not want other regulatory government authorities to know about.
- When the government comes in, they must be given access to all data. This may lead to the compromise of documents carrying the attorney/client privilege.
- The US government made a policy choice to give organizations principal responsibility for responding to cyber-attacks. If the government is brought in, their duty to assist the organization is not well defined. Without a defined role, an organization may be hesitant to hand over the reins.
- It takes time and resources to get the government up to speed, which may take resources away from dealing with the breach.
- If the government gets involved, you may lose the ability to control the investigation and keep it quiet. The government decides if/when to prosecute which could bring public attention to the breach. Publicizing a breach may result in future civil litigation or additional government investigations.
While there is no right or wrong answer, your cyber breach response plan should detail if the government is your first call or on the do not call list.