Should law enforcement agencies be alerted every time a potential breach occurs? The DoJ thinks so.
At a hearing on March 4 before the U.S. Senate Judiciary Committee, Department of Justice (DoJ) Deputy Assistant Attorney General for National Asset Protection in the National Security Division Adam Hickey called upon Congress to enact legislation that would create a uniform nationwide data breach disclosure law (presumptively superseding state data breach laws) and include a requirement that companies report breaches not just to customers but also to law enforcement. Hickey told the Senate panel:
“We can’t respond to what we can’t see, and there are significant disincentives, [in] some cases, to reporting to law enforcement. As you and your colleagues consider a national data breach standard, we would urge you to follow the model of many state statutes and include a requirement to promptly notify law enforcement in addition to, and in advance of, notification of impacted consumers. Government notification would increase Federal law enforcement’s ability to pursue hackers and prevent data breaches. The administration is actively working on proposed legislation, and we look forward to working with Congress on this important issue.”
So is mandatory breach disclosure to law enforcement a good idea? It depends on what they are going to do with it.
As Goes California
In 2002, California passed SB 1386, a law that required entities that suffered a breach of certain kinds of personally identifiable information to report the breach to the victims of that breach. The goal was to permit breach victims to know that their data had been leaked so that the victims could help remediate the breach—you know, by reviewing recent purchases on their credit cards, canceling cards and monitoring credit. While such data breach (and data breach remediation) laws have become standard, both among states and certain federal sectors, and internationally through laws including GDPR (which requires notification not to customers but to privacy authorities), these laws generally require notification of data breaches not to law enforcement but to victims.
The purpose of disclosing a data breach to a customer is, in theory, to permit the customer (data subject) to take corrective action to mitigate any harm resulting from the breach. As a practical matter, apart from credit freezes or monitoring, there’s not a whole heck of a lot that data subjects can do when they get one of the “dear valued customers …” letters or emails. The practical impact of breach disclosure laws is to “name and shame” entities that have been unlucky enough to have discovered (or been advised of) a data breach, with the goal that they will do more in the future to prevent another one. Or at least to not discover it.
But what is the purpose of disclosing a data breach—or other security incidents, for that matter, to law enforcement?
Current Law Enforcement Disclosure Laws
New Jersey has, however, long had a data breach law that requires a company suffering a data breach to “in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling.” So, under New Jersey law, if you tell your customer that you have had a breach, you are violating the statute. More recently Illinois and Texas have passed laws requiring that certain entities that suffer data breaches report them to the state attorney general, while Florida exempts from public view voluntary disclosures to the government of data breach. Mandatory reporting of data breaches to law enforcement is the exception rather than the rule. Apparently, that’s what DoJ wants to change.
One Ring to Rule them All
Data breach laws are currently a hodgepodge of different requirements in terms of what constitutes a “breach,” who is required to report, what kinds of data are protected, how breaches are to be reported, what language is required to be in a data breach notice and what entities are required to do to mitigate or ameliorate a data breach. It is generally considered to be in the interests of companies and governments to have a single data breach disclosure law with a single reasonable procedure for reporting. Easy peasy, lemon squeezy. That’s because very few entities have a data breach within a single jurisdiction or that impacts people only in that jurisdiction. The real question is not whether a uniform law is a good or bad idea, but rather what would be in such a law which determines whether it’s a good or bad idea.
Where’s My Super Suit?
In the animated classic “The Incredibles,” Frozone (Samuel L. Jackson), faced with an impending peril, asks his wife, “Honey, where’s my super suit?” to which she replies, “Why do you need to know?” So when it comes to law enforcement and data breaches, the question remains, “Why do you need to know?” If you ask the FBI/DoJ they will tell you that they need to have mandatory reporting of computer crimes so they can effectively investigate crimes and coordinate with others, including foreign governments. You can’t investigate what you can’t see. To the DoJ, the problem is that it doesn’t have enough reporting of computer crime. The department is only seeing the tip of a much larger iceberg. To overwhelmed and under-resourced law enforcement agencies, they see the problem being that they don’t have enough work to do. Really?
One problem with “mandatory reporting” is mandatory reporting OF WHAT? and TO WHOM? and WHY? Simple. Report “computer crime.” Treasury Department regulations required reporting of certain suspicious activities using a SAR reporting form, by certain banks and financial institutions. In a later advisory, Treasury’s FINCEN noted that regulated entities should report any:
“Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information; Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers and provide Cyber-Related Information: Information that describes technical details of electronic activity and behavior, such as IP addresses, timestamps, and Indicators of Compromise (IOCs). Cyber-related information also includes, but is not limited to, data regarding the digital footprint of individuals and their behavior.”
Really? An attempt to gain unauthorized access? Every phishing attempt? Every malware attempt? Every ping sweep? Every port scan? In fact, the FINCEN guidance notes that “a financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets.” That would include employee time, computer resources, etc. A pretty low threshold. Will the FBI mandate similar reporting thresholds? What exactly does the FBI want to know?
The next question is what the FBI will do—and what it will be required to do—with the information reported. If the data just goes into a virtual manilla envelope, then it does no particular good to anyone. Will the FBI be required by law to conduct a full and thorough investigation of each report, and, consistent with federal victim rights laws and DoJ policies, be notified of each critical stage of the investigation? Probably not. If victims don’t see results from reporting, they will be reluctant to continue to report. In fact, mandatory reporting will increase the statistical significance of computer crime over other crimes irrespective of its actual impact. If the FBI is not required to do something with the data that entities are compelled to produce, then it’s sophistry, not investigation.
Right now, victims of computer crime, whether they are individuals or companies, decide whether to report their situation to the police. Mostly. Decisions on calling the police are made based on what is in the best interests of the entity (victim) its shareholders, customers and third parties. Is there something the police can do to help, or will calling the police divert my resources from responding? Do I need someone to serve a grand jury subpoena or conduct an investigation, or do I just want the attack to stop? Is there a threat to public health or safety about which I want the police to investigate, or is this something I can handle myself? Whenever you report something to the police you should always assume that what you report will be made public (even if this is not the case). The goal of the FBI/DoJ is to find the offender and prosecute them—and this may mean publicizing the scope and extent of your poor security. While there are some tools available for them to protect your identity or confidential information (such as naming your company as a confidential informant, or a protective order from a court) if disclosure is mandatory, protecting against further disclosure will be difficult. Disclosure to the FBI may also cause the FBI to subpoena or demand further information (access logs, data, etc.) from you, and may convert your internal investigation into a law enforcement investigation. If you don’t cooperate (or don’t fully cooperate), you become the criminal, not the hacker.
Even if this is not the intention of the FBI at the outset, relations can get testy when your objectives and those of law enforcement are different. You may also lose some of the legal protections of attorney-client privilege and attorney work product if the law suggested mandates reporting of the results of internal investigations as well. And nothing contained in the DoJ testimony suggests that the mandatory reporting requirement would be limited or targeted to companies or corporations. Thus, if your grandmother’s ACER computer with Windows 95 is hit by malware, she may be required to report that to IC3. Also, DoJ was kind of silent on sanctions for failure to comply. Does grandma get hauled off in chains? Fined? What?
It is often a good idea to coordinate a serious computer crime investigation with appropriate law enforcement personnel. My rule is to coordinate with agents with whom I have previously had drinks—meaning, people I know, I trust and who trust me. That way you avoid the “black hole” of reporting—you report and nothing happens. Well, at least nothing visible. And that’s just frustrating.
It seems that the DoJ proposal is all stick and no carrot. It doesn’t require the DoJ or FBI to do anything and imposes unnecessary costs to crime victims. I understand their goal, but this may not be the best way to get there. Meanwhile, where’s my super suit??