At a March 7, 2018 Conference on Cyber Security co-hosted by Boston College and the Federal Bureau of Investigation (“FBI”), Director of the FBI Christopher Wray spoke about the FBI’s efforts to combat cyber threats. Among other topics, Director Wray emphasized the FBI’s policy to treat companies that have experienced a cyber-attack as victims, and encouraged the need for cooperation between the public and private sectors.
A key theme of Director Wray’s remarks was the importance of collaboration to combat ever-evolving and sophisticated cyber-attacks. Emphasizing the many ways in which cyber threats have evolved over the past decade, Director Wray noted that the FBI now was partnering with other federal agencies, such as the Department of Homeland Security, as well as its foreign counterparts, such as the European Cybercrime Centre. “This threat is moving so quickly that any time for turf battles is long gone,” he said. Likewise, Director Wray said that the FBI is “trying to work better with [its] private sector partners . . . sharing indicators of compromise, tactics cyber criminals are using, and strategic threat information whenever [it] can.”
According to Director Wray, the FBI wants the private sector to feel comfortable working with law enforcement on such sensitive matters. Director Wray made clear that a company that experiences a data breach will be considered, and treated like, a victim of a crime. When responding to the breach, the FBI’s focus will be to do everything it can to help the victim company. Director Wray reportedly also stated that the FBI is not interested in disclosing company information to regulators or private litigants.
He implored companies to call the FBI or another regulatory agency when the company has indications of unauthorized access or malware, or when an attack results in a significant loss of data, systems, or control of systems.
Importantly, however, Director Wray was speaking solely on behalf of the FBI. And while the FBI very well may intend to treat such companies as “victims” for law enforcement purposes, regulators may focus more on these companies’ controls and protocols in detecting or defending against such a breach. This is a common concern that certain companies face in self-reporting breaches, and the FBI cannot provide absolute assurances that any self-reporting will not lead to a regulatory inquiry or potential action. As emphasized by Director Wray, however, cyber-attacks are a sophisticated and ever-evolving threat. Law enforcement can be an invaluable resource in responding to a threat.
Deciding whether and when to contact the FBI in the event of a breach is a fact-intensive exercise, and is one that can benefit from conferring with counsel.