Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Reporting Breaches to Law Enforcement: Why Timing Matters
Privacy Attorney Kirk Nahra Discusses Important ConsiderationsThe timing of reporting breaches to law enforcement is important because it could slow down an organization's incident response and internal investigation, says privacy attorney Kirk Nahra.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
"How you work with law enforcement on timing is part of the puzzle of what you have to deal with ... as a company," he says. "Your obligations as the company don't necessarily slow down because law enforcement is involved." But incident response plans can be impacted, for example, "if law enforcement says 'we don't want you to do something'" that could impact evidence.
Sorting Out Obligations
Even when law enforcement is working on a breach case, entities still have their own internal investigation issues to consider, he says.
"Often organizations have to do their own investigations in trying to figure out what their obligations are in connection with their other requirements, such as whether they have to notify a specific regulator ... or individuals ... or their own business partners," he says. "Law enforcement's speed - or lack of speed - is really an independent variable."
Working with law enforcement is potentially helpful to organizations if the entity eventually wants to prosecute a case, or recover stolen data assets, he notes. "You have to factor that in," he says. "You try to work with law enforcement as one component to your overall breach response."
In a video interview at Information Security Media Group's recent Healthcare Security Summit in New York, Nahra also discusses:
- Other pros and cons for reporting breaches to law enforcement;
- Factors involved in decisions to report to law enforcement breaches that involve external actors versus insiders;
- The tension involved in deciding to report security incidents to law enforcement while an entity is still determining whether to also report the incident to the Department of Health and Human Services' Office for Civil Rights.
As a partner at the law firm Wiley Rein LLP, Nahra specializes in privacy and information security issues, as well as other healthcare, insurance fraud and compliance issues. He's a member of the board of directors of the International Association of Privacy Professionals and was co-chair of the Confidentiality, Privacy and Security Workgroup, a former panel of government and private-sector privacy and security experts advising the American Health Information Community.