Your business has been hacked – what to do when the government comes knocking

A cyberattack triggers many unpleasant consequences. A business may be forced to pay a considerable ransom to a cybercriminal who has locked up its systems and data. A cybercriminal may have obtained access to a chief executive officer or another high-level employee’s sensitive email communications. Trade secrets and other proprietary information may have been stolen. A business may be obligated to notify consumers, shareholders, business partners, or state and federal regulators that sensitive data has been compromised, and may be sued by these stakeholders. And, to make a bad situation worse, state and federal government investigators may come knocking to investigate the business, its handling of the attack, and its failure to prevent, prepare for, and properly respond to the incident. There are three guidelines every business should be mindful of when dealing with a government investigation into a cyberattack:

1. Respond to all inquiries in coordination with experienced cybersecurity counsel.
   In the heat of a high-stakes situation such as a cyberattack, a business may be tempted to immediately respond to government inquiries without consulting legal counsel. The business may be motivated by a desire to help the government bring the cybercriminal to justice, show it has done nothing wrong, and avoid further consequences. However, responding to the government’s inquiries without the advice of legal counsel may result in the disclosure of information that could be damaging to a business. For example, a business may inadvertently disclose information that is legally privileged, that is out of the scope of the government’s jurisdiction, or that the law simply does not entitle the government to know or have. Counsel can coordinate with the government, field requests, and respond to inquiries on the business’ behalf as appropriate.
2. Full and complete cooperation is key.
   In consultation with legal counsel, a business should fully cooperate with a government investigation into a cyberattack. Cooperation includes producing indicators of compromise, malware, and other forensic evidence so that the government is able to investigate the cybercrime and hold the perpetrator accountable. Cooperation does not include disclosing attorney-client privileged communications, allowing the government wholesale access to a business’ systems, data, and facilities, or implicitly or explicitly accepting responsibility for failing to prevent the attack without appropriate qualification and context. The goal is to assist efforts to catch the cybercriminal and to avoid disclosing anything that could be used by the government or other stakeholders to hold the business liable for failing to prevent or properly respond to the attack.
3. Be ready to show the government that you have prepared for the cyberattack and that you are taking steps to further enhance your security posture.
   The government often asks what steps a business has taken to prevent a cyberattack from occurring and what such steps are being taken to prevent future attacks. Preparation for a cyberattack includes implementing technical safeguards like endpoint monitoring, antivirus, and security vulnerability patches. Preparation also includes investing in cybersecurity insurance, regularly updating written policies and procedures governing information security, and conducting cybersecurity incident response training. These are basic precautions that the government now expects all businesses to have in preparation for a cyberattack.

A government investigation following a cyberattack requires a thoughtful and measured response. Careful management of one will help a business mitigate potential liability, risk, and further damage.

Hussein Jaward is an attorney in McDonald Hopkins’ national Data Privacy and Cybersecurity Practice Group. He helps small and large businesses prevent and respond to cyberattacks and regularly counsels business organizations facing state and federal investigations following such incidents.