Main Menu
Print PDF

Cybersecurity Unit of DOJ Publishes “Best Practices” for Responding to a Cyber Attack

Cyber Law and Data Protection Alert | May 5, 2015
By: Joshua A. Mooney and Laura Schmidt

Recognizing that any organization connected to the Internet can suffer a data breach or other form of cyber-based attack, the Cybersecurity Unit of the U.S. Department of Justice has published a “Best Practices for Victim Response and Reporting of Cyber Incidents” (DOJ Report). The report offers guidance to companies both for preparing a cyber response plan and for responding to a cyber attack. The report was drafted for small and mid-sized businesses, who may have more limited resources than much larger companies.

The DOJ Report emphasizes numerous practices an organization can take in order to prepare for a cyber attack.  Among the most important steps is to have a well-established response plan and procedure in place before a cyber attack occurs.  As part of preparing a response plan, the report states that every organization first should identify its “crown jewels” (i.e., the data, assets, and services that warrant the most protection) in order to formulate a plan that best protects them.  Importantly, the report notes that cyber response plans are not “one size fits all.” Because organizations’ needs vary, so should cyber response plans in order to fit those needs. For some organizations, even a short-term disruption in their ability to send or receive email will have a devastating impact on their operations. For other organizations, the ability to guarantee the integrity and security of the data they store and process, such as customer information, is vital to their continued operation. These differences may require the development of different response plans.   

The DOJ Report also identifies the importance of an organization’s ability to monitor its own network in “real-time.” The report states that, before an incident takes place, an organization should adopt mechanisms to obtain its network users’ consent to monitor communications in order to allow the organization to detect and respond quickly to a cyber attack. With the assistance of counsel, an organization can obtain needed authorization through the use of computer-user agreements, workplace policies, personnel training sessions with written acknowledgments and agreements, or other legal devices.

The key is to have an actionable plan in place before the cyber attack occurs. A response plan should provide concrete and specific procedures, including which individuals have lead responsibility, how to contact critical individuals, and instructions about preserving data related to the intrusion.  Legal counsel as an important component to a response plan. Because cyber incidents and attacks can raise unique legal questions, the DOJ Report recognizes the importance of seeking guidance from legal counsel accustomed to addressing cyber issues and who is conversant with technology and relevant laws (e.g., the Computer Fraud and Abuse Act (18 U.S.C. § 1030), electronic surveillance, and communications privacy laws) to help provide timely and accurate advice. Counsel can ensure that the response remains on firm legal footing.

Finally, the DOJ Report identifies four steps as “best practices” an organization should take when it suffers a cyber attack. In their simplest terms, those steps are (1) make an initial assessment, (2) implement measures to minimize continuing damage, (3) record and collect information, and (4) notify appropriate personnel.  Some of these steps include checklists to help organizations identify the cause or source of the cyber attack, including login and user information, and descriptions of information the organization should gather in its investigation.

The report recognizes the importance of knowledgeable legal counsel.  In fact, contacting legal counsel is a critical first step in any response to a cyber attack.  Cyber counsel can assist an organization with quickly identifying a forensics team to identify and remediate a cyber attack, and coordinate the company’s response to the attack with in-house counsel or other company officers. Counsel also can lead an investigation for the company under the protection of the attorney-client privilege, and help the company navigate its legal obligations, including, for data breaches, potential notification of the breach to state attorneys’ general offices and to persons whose information was compromised.  

The report also states that law enforcement and the Department of Homeland Security should be contacted. When a business is victimized by a cyber attack, its approach and subsequent interaction with government investigators and prosecutors invariably can be aided by experienced counsel.  Counsel can work to minimize any disruption of business caused by an investigation and work with in-house counsel to protect attorney-client privilege and other confidential information. 

For additional information about the DOJ Report and this alert, please contact Joshua Mooney (215-864-6345; or Laura Schmidt (215-864-6333;

For more information on preparing a cyber response plan, or for responding to a cyber attack, please contact Joshua Mooney (215-864-6345; or Jay Shapiro (212.714.3063; 

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation and legal questions.
Back to Page