Private businesses are usually reluctant to share information following or during a cyber incident with public authorities, even those authorities specifically trained in digital forensic investigations and cyber incident management and response. Lawyers and their clients are rightfully concerned about maintaining attorney-client privilege, especially with the possibility of litigation following a cyber incident.
However, this position (albeit well-intentioned) is outdated and financially inefficient. Reporting incidents to qualified agencies helps mitigate the incident, improves the effectivity of remediation efforts, will likely be required by law (soon), and gives the victim FREE assistance. Yes, these statements sound like “bait and switch” bullsh*t, but they are true. See below:
1. “Appropriate” Law Enforcement Entities Cannot Share Information with Third Parties
Attorneys representing private businesses suffering a cyber incident that warn against reporting to public officials to preserve attorney-client privileges are thinking correctly. Although further research would inform them that reporting events to the right type of public authority does not disturb attorney-client privilege or create other confidentiality concerns.
In 2015, Congress passed the Cybersecurity Information Sharing Act in 6 U.S.C. §1501 and in 2021, Congress amended the act to include a statute on the role of the National Cyber Director in 6 U.S.C. §1500 (collectively, the “Act”). By sharing cyber defensive measures or indicators of compromise (IoCs) with any of the following agencies, referred to as “Appropriate Federal Entities,” the information sharer receives several confidentiality protections: the Departments of Commerce, Defense, Homeland Security, Energy, Justice, Treasury, and the Office of the Director of National Intelligence. Note that within the Department of Justice is the Federal Bureau of Investigation (FBI) and any United States Attorneys’ Office (USAO); and included within the Department of Homeland Security is the United States Secret Service (USSS) and Cybersecurity and Infrastructure Security Agency (CISA).
Protections afforded private entities that share cyber defensive measures and IoCs are found in 6 U.S.C.§1504(d), which include:
“No waiver of privilege or protection… [sharing information] shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.”
"Proprietary information… [the government shall treat] the commercial, financial, and proprietary information of such non-Federal entity when so designated by the [sharing organization].”
“Exemption from Disclosure.” Information shared under the Act is exempt from federal, state, local, or tribal public records act requests.
Protections further include a bar against suit brought by a third-party for the disclosure of information with the federal government.
Louisiana further passed a copy-cat law in La. R.S. 51:2101 et seq., protecting state law legal privileges and included some of its agencies with those “appropriate” authorities with whom to share intelligence.
2. Mandatory Federal Reporting is/will soon be Required.
In March 2022, the Securities and Exchange Commission (SEC) floated a proposed rule and fact sheet requiring the disclosure of cybersecurity precautions by publicly traded businesses. Any entity subject to the reporting requirements of the Securities Exchange Act of 1934 will, if/once the rule is adopted by the SEC, be forced to disclose the following information:
Current reporting about material cybersecurity incidents on Form 8-K;
Periodic disclosures regarding...
A registrant’s policies and procedures to identify and manage cybersecurity risks;
Management’s role in implementing cybersecurity policies and procedures;
Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
Updates about previously reported material cybersecurity incidents; and
Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
The same month that the SEC announced its proposed rule, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), now 6 U.S.C. §681-681g, which both offers confidentiality protections and requires businesses operating critical infrastructure sectors to report cyber incidents within 72 hours, and report ransom payments within 24 hours to CISA (although specific reporting requirements remain in development). And with the definition of critical infrastructure so abstract (see SA Patriot Act of 2001, 42 U.S.C. 5195c(e)), the entities subject to CIRCIA is uncertain. CISA is asking for public assistance on refining CIRCIA.
3. Free Services
Lastly, resources provided by qualified state or federal agencies are FREE of charge to the recipients. This means, at least in Louisiana, that a private entity suffering a cyber incident can request and receive a FREE digital forensics analysis from the Louisiana State Police Cyber Crime Unit, while also enjoying the privilege and confidentiality protections. A qualified and honest cybersecurity professional will affirm that absent a digital forensic analysis, remediation efforts are likely incomplete and/or ill-informed and greatly increase the probability of a repeat incident. Depending on the company performing the forensics and specifics concerning the incident, a digital forensic analysis costs tens of thousands of dollars.
Additionally, if money is stolen from the cyber incident victim, the USSS can help retrieve and return the funds, even if the funds leave the USA, provided that the USSS is quickly alerted (up to 48 hours for international theft and 72 hours for domestic theft). Again, this is a FREE service for the victim.