When hit with a cybersecurity attack, organizations are often not inclined to bring in federal law enforcement. Recent comments by FBI Director Christopher Wray at Mandiant’s annual mWISE 2023 conference seek to encourage the private sector to reconsider, as reported in CIODive. Doing so is an important consideration and depending on certain factors, it may be required.

According to the article, Director Wray attempted to reassure conference attendees:

“We know the private sector hasn’t always been excited about working with federal law enforcement, but when you contact us about an intrusion, we won’t be showing up in raid jackets, instead we’ll treat you like the victims you are – just like we treat all victims of crimes.”

According to the U.S. Government Accountability Office, “the U.S. is less prepared to fight cybercrime than it could be” – the title of a recent GAO blog published in August 2023. There are several reasons for this, according to the GAO, one of which is public hesitancy to report attacks. That hesitancy stems from:

  • Apprehension about public disclosure, loss of privilege
  • Concerns about the organization’s reputation
  • Unsure about what agency to which to report the attack
  • Unclear that law enforcement can do anything about the attack, diminishing the incentive to report
  • Some organizations are more inclined to contact local law enforcement

See GAO full report.

Director Wray pointed to some successes his agency has had with disrupting criminal operations and cyber-attacks in the U.S. One example is the takedown of Qakbot, malware that reportedly had infected more than 700,000 computers worldwide and 200,000 in the U.S. 

An organization’s hesitancy to report a cybercrime to federal law enforcement may have to yield to emerging reporting mandates. These include, without limitation:

  • Department of Homeland Security. According to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Act), entities in the critical infrastructure sector must report to the Department of Homeland Security (DHS) certain cyber incidents within 72 hours, and ransom payments within 24 hours of making the payment. As regulations to implement these requirements near, DHS recently announced a common platform for reporting cyber incidents.
  • Securities and Exchange Commission. This summer, the Securities and Exchange Commission (SEC) adopted rules to enhance and standardize disclosures by public companies regarding cybersecurity risk management, strategy, governance, and incidents. In short, material cybersecurity incidents must be reported within four (4) business days.
  • National Credit Union Administration. The National Credit Union Administration (NCUA) recently finalized regulations that became effective September 1, 2023. Under the final rule, federally insured credit unions must notify the NCUA as soon as possible but no later than 72 hours after the Federally Insured Credit Union (FICU) reasonably believes that a reportable cyber incident has occurred.

Another reason to consider reporting a cyber-attack has to do with minimizing exposure to civil liability under regulations enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). In general, U.S. law prohibits U.S. persons from engaging in transactions, directly or indirectly, with certain individuals or entities – this includes ransom payments. According to OFAC guidance, the agency:

may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.

However, OFAC will consider certain factors that could minimize exposure to penalties. One of those factors is reporting ransomware attacks to appropriate U.S. government agencies and cooperating with OFAC, law enforcement, and other relevant agencies.

Of course, decisions regarding whether, when, how, and to whom to report a cyber-attack should be thought through carefully, with experienced counsel, considering the circumstances and related issues. Whether Director Wray will see an uptick in reporting and be able to use that information to help thwart more attacks remains to be seen.

If you have questions about reporting cyber-attacks or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.