It is universally accepted that if you become a victim of crime, you turn to the police.
However, in the battle against cyber crime, a different approach is often required. In sharp contrast to other crime investigations, the first objective is unlikely to be the tracking down of hackers and bringing the perpetrators to justice, but instead establishing what data may have stolen.
This is a task corporates need to direct themselves. Even if law enforcement could investigate the crime for the victim, there are serious downsides to this approach, as it may require access to secret corporate data and restricted networks. By handing the investigation over to the police corporations lose control over timing and content of any public notification, which could prove a public relations disaster.
A key question is, therefore, when (or even whether) to notify law enforcement authorities. The strategy will, in part, be shaped by the type of data breach or hacking. Many hacking incidents are carried out by employees or former employees with a grudge. These types of perpetrators are relatively easy to track and locate, arming corporations with a range of civil enforcement options, including dismissing or suing the perpetrator.
By contrast, hackings co-ordinated by outsiders present a very different challenge. Unlike most crimes, there is typically no physical link between an outside hacker and his victim. The hacker could be thousands of miles away and completely unknown to the victim. This makes it far harder to identify and bring such a perpetrator to justice.
Instead, investigators of outside hackings typically start by trying to answer a more basic series of questions, such as: how did the breach occur; has it stopped; how long has it been going on; and what data was stolen?
Sophisticated computer forensics may help answer these questions. Forensic experts will secure and review copies of the network traffic logs and configurations, and make forensic images of infected computers. This is a very intrusive process that requires scanning the entire corporate network for virus signatures, copying key computers and servers in full and monitoring network traffic.
A victim company may be required to notify regulators and the public of a data breach. Some jurisdictions require notification for certain industries while others require notification for any industry if the breached data included personally identifying information (PII) about individuals.
In such cases, the question of whether to notify the authorities may be moot, but there is still the question of when you notify law enforcement – before or after a private investigation is complete.
In my experience, most companies faced with this situation conduct a private investigation before notifying law enforcement. Three factors tend to drive this decision:
1) It is not always immediately clear if a breach requiring notification has occurred and the only way to determine if a notification is required may be to complete the investigation yourself;
2) If individuals need to be notified about the breach, only the company and its forensics experts are in a position to determine who needs to be notified, as law enforcement will not do that for a company;
3) It is much easier to control the public relations if the company knows the extent of the problem before it is announced.
In short, giving control to public authorities early in an investigation is rarely a viable option.
Beyond the practical and legal considerations, there is always at least one good reason to involve law enforcement at some stage of a breach investigation: it is in the public interest. In addition to the deterrence effect, law enforcement is in a position to see patterns across victims and assist the wider community in preparing for and responding to hacking.
Criminal investigations of one hacking often uncover evidence of additional victims. For this reason, companies should probably err on the side of notifying law enforcement if they are victims, but typically only after their own investigation has revealed the nature and scope of the incident.
Executives responding to an incident must remember that hacking is very different from other sorts of crimes. Though law enforcement can play a role, corporations working with outside experts must direct the investigation to determine the extent of the data breach and the requirement to notify regulators or the public.
Even if law enforcement is able to identify and prosecute the hacker, only private computer forensics and legal experts will be able to answer the key questions required for the company to respond to the incident.
Seth Berman is executive managing director and UK head of Stroz Friedberg