By Rose Law Group attorney Lauren Reynolds and Daniel Gauthier, who are focused on cybersecurity and privacy issues
Recently a client asked: The FBI wants my help with investigating a cybercrime against my business. What do I do?
This is an increasingly common issue as businesses rely more on technologies with security protocols. The government has an obvious incentive to investigate the cybercrime but may not have access to vital information without your cooperation. Unfortunately, the answer is not as simple as deciding: “Yes, I want to help the government.”
Your question raises at least three important considerations.
The first one is timing. After a cybercrime, you are presumably knee deep in internal investigations, damage assessment and legal compliance, in addition to normal business operations. It is an inopportune time to free up more resources to assist in a governmental investigation.
The second consideration is control. Some companies are reluctant to “open the door” to the government unless they have an agreement with the government on the scope of the investigation. In addition to the fear of losing control of internal investigations, systems and data, businesses should also consider whether the information collected will be subject to public disclosure. These things need to be considered and an agreement should be carefully crafted as to minimize the chances of reputational harm, negative press or even civil litigation.
The third consideration is regulatory risk and civil liability. Does cooperating with one agency (i.e. the FBI) put you in the spotlight so that other agencies like the FTC or SEC are more likely to investigate your cybersecurity practices? In reference to the FBI’s characterization of businesses who are victims of a cybercrime, former Director James Comey said, “We understand what a victim is and we treat victims for what they are, which is victims.” But what about other agencies? The FTC, for example, frequently uses its enforcement power against businesses who incur data breaches. Without some assurance of immunity, a business may be reluctant to cooperate with one arm of the government.
Effective collaboration between public and private sectors to address cybercrime is undoubtedly a very good thing. After all, businesses and the government have the same interests regarding cybercrime: to mitigate loss and deter future crime. Nevertheless, given the above considerations, the business must carefully consider and attempt to protect against the risks and of cooperating with a government cybercrime investigation.