One of the many difficult questions that companies face in the immediate aftermath of discovering a cyber breach is whether to inform their regulators or law enforcement. Assuming there is no mandatory disclosure obligation, some companies are reluctant to call the government because (1) they may not know all the facts yet, (2) they don’t want to waive privilege, and (3) they are worried that the company will become the target of an investigation into whether they had adequate cybersecurity measures. The FBI is trying to alleviate those concerns so that more companies share cyber threat information with the Bureau, which the FBI views as a an essential part of its efforts to protect U.S. companies from cyber attacks.
As we have noted previously, getting the FBI involved in a cyber event can have also have significant benefits for companies: (1) the FBI is often best equipped to identify the source of the attack and type of malware used; (2) they may know how the attacker accessed your system and how to close that vulnerability; (3) if money has been taken or sent to the wrong place, they can help trace the funds and reverse fraudulent transfers; and (4) in the case of a ransomware attack, they may be able to help with decryption and in determining whether the attackers are likely to do what they say if a ransom is paid.
Earlier this month, in remarks delivered at the Boston Conference on Cyber Security, FBI Directory Christopher Wray strongly encouraged companies to share data breach information with the FBI promptly and thoroughly. Director Wray presented the FBI as an asset to companies that have experienced cyber attacks, stating that the Bureau is “in the business of protecting vital assets” and that it wants to work cooperatively with the private sector to “help protect your crown jewels” and “stop threats before they get worse.” He added that “[a]t the FBI, we treat victim companies as victims” and that the Bureau’s focus “will be on doing everything we can to help you.”
As reported in Law360, in a Q&A session following his formal remarks, Director Wray further emphasized that the FBI would view companies hit by a cyber attack as the victim, rather than using disclosed information to open an investigation of the company or share that information with other regulatory authorities that might do so. He stated that the FBI does not “view it as our responsibility, when a company is sharing information with us, to then turn around and share that information with some of those other agencies. . . . We obviously have to comply with the lawful process if we encounter it, but I think we don’t view it as our role to kind of rush out and share that information with those folks.”
Director Wray’s statements should comfort companies considering disclosing an incident to the FBI. Of course, companies must exercise caution not to waive privilege when disclosing any legal advice or work product to any third party, including the Bureau. As we have discussed previously, though, the risk of waiving privilege can be reduced. First companies can establish privilege in a cyber investigation by engaging counsel at the outset of the investigation, retaining forensic consultants through counsel (in furtherance counsel’s legal review), and perhaps by walling off counsel’s investigation from a non-privileged business review. Second, companies can reduce the risk of privilege waiver by adhering to the requirements of the Cybersecurity Information Sharing Act of 2015 (“CISA”), 6 U.S.C. §§ 1501–1510, which preserves privilege over certain information shared with the federal government for cybersecurity purposes.