It’s a now-familiar scenario: A corporate computer system is hacked, and sensitive proprietary data may have been stolen or compromised.
In the crush of today’s marketplace, and given the ephemeral, quickly transferable nature of data, savvy business leaders know they must act immediately to minimize damage. As with all crimes, the evidence of computer crimes deteriorates with time. Moving quickly to begin an investigation is the right course of action.
One of the first options is to call law enforcement. As a practical matter, however, it is critical to take a moment to prioritize the business advantages – and disadvantages – of making that call. Involving law enforcement may or may not be the best thing for your company.
In making the decision to report the violation to law enforcement, companies juggle competing goals and priorities:
While involving the government furthers some of these goals, it can hinder others. Looking at both the advantages and costs is important to making informed decisions about involving the authorities.
Arsenal of tools
Assistance from law enforcement gives a corporation access to an arsenal of tools, including search warrants, court orders, wire taps, grand jury subpoenas, and mechanisms for seeking cooperation from other countries.
These weapons, which can be used to identify a perpetrator and ensure the return of proprietary information, are not available to private sector companies. And while a company can terminate an employee and threaten or initiate civil action, the government can charge a hacker with crimes, arrest her, and force her to face the possibility of a felony conviction and sentence that may include fines and prison time.
Even the mere threat of criminal prosecution can persuade an employee to disclose information that can help a company assess and address potential harm.
If a company decides to conduct anything more than a cursory investigation, it is likely to incur sizeable costs, including payment to computer forensics experts, the cost of pulling IT officers away from their responsibilities, and the possibility of significant system down time.
Should your company choose to handle an investigation in-house, these costs will be borne by your company. Alternatively, if the government undertakes the investigation and prosecution, though they will likely seek your assistance in gathering evidence, law enforcement will shoulder most of the financial burden.
Potential risks
Calling in law enforcement has its potential risks, though.
While investigating criminal activity, the government will have access to your computer systems. Even though the government tends not to look beyond immediate evidentiary concerns, there is a risk law enforcement personnel will stumble upon other information during their review of the systems.
For example, it is possible that an FBI agent investigating embezzlement from a health care company could find evidence of Medicare fraud, or that investigators searching for identity theft could encounter employee trafficking in pornography.
According to the 2005 Computer Security Institute (CSI)/FBI Computer Crime and Security Survey, the main reason cited by organizations for not reporting computer intrusions is the fear of negative publicity.
Reporting a crime makes it significantly more likely the crime will become public, as the government will likely want to publicize the case as a deterrent, to encourage other victims to come forward, or to remind the public the government is there to help.
While consumers are beginning to understand certain types of computer intrusions are commonplace, the publicity of reporting a computer crime can hurt a company’s reputation with the public, particularly where credit card or other sensitive data is involved.
Once government is involved, it controls the investigation and any ensuing prosecution.
The government – not the company – decides the scope and pace of the investigation, including scheduling employee interviews, documentation they require, and whether and when to settle or to bring charges.
Moreover, because grand jury proceedings are secret, the government cannot share with a company what it learns from grand jury witnesses. Given these limitations, a company should not expect to be routinely updated on the status of the government’s investigation, the identity of the perpetrator, or the government’s intentions with respect to bringing criminal charges.
For many companies, the inability to control the pace and timing of the investigation, coupled with a relative information blackout, mitigate strongly against involving the government.
If your analysis leads to the decision to report the incident, a cooperative attitude and an experienced lawyer are essential to managing your company’s risk.
Establishing a cooperative relationship from the outset makes it more likely the government will respect your business concerns and schedule interviews at the convenience of the company, significantly reducing down time and the cost of the investigation.
It can also help in shaping public outreach through the media and avoiding public disclosure of particularly sensitive information.
Allison D. Burroughs, partner in Nutter’s government investigations and white collar defense practice, joined the firm in 2005 from the U.S. Attorney’s Office in Boston where she spent eight of her 10 years with the economic crimes unit. Allison focuses on sophisticated white collar and economic crimes, including intellectual property offenses, computer crimes, money laundering, mail and wire fraud, economic espionage, terrorism, telemarketing schemes and complex RICO prosecutions. Allison can be reached at (617) 439-2000 or at [email protected].