If there hasn’t been a criminal investigation, should you ask for one?
If your company is not subject to any of the aforementioned reporting provisions and law enforcement is not otherwise aware of the cyber attack, you need to weigh several competing considerations to determine whether to request a criminal investigation.
For instance, any of the following factors could militate against contacting the appropriate criminal authorities:
Possible liability – Notifying law enforcement may ultimately lead to civil liability or worse for the company, depending on the firm’s role in causing or failing to stop the breach. To make matters worse, facts bearing on the company’s role may not be known to the company until weeks or months after the breach, and it may turn out that the breach was not the result of criminal activity. In other words, the company could notify law enforcement unnecessarily and essentially call the police on itself. This is the most serious concern.
Disruption of your business – The data breach is likely to disrupt your business; the presence of government agents or investigators on-site examining or imaging your servers and interviewing your employees will only add to that disruption.
Risk of increased publicity – Although law enforcement likely will attempt to conduct their investigation without publicly exposing the intrusion or data breach (at least preliminarily), involving law enforcement may draw attention to the incident (both internally and externally) and could result in negative press. In the event of an arrest and trial of the perpetrator, the company’s reputation could be damaged further if it turns out that lax controls at the company facilitated the crime.
Confidentiality concerns – Your company may be concerned about sharing with law enforcement confidential information, including trade secrets and privileged communications with counsel. An investigation carries with it the possibility of a prosecution, the exchange of discovery, and a trial, none of which is likely to be known in the immediate aftermath of the breach. The government, not the victim corporation, decides whether to bring charges.
Note that, at the outset of an investigation, you may be able to negotiate with the government a confidentiality agreement that specifies to whom the government may show the information. And if the investigation leads to an arrest and a trial, more robust confidentiality agreements and protective orders, often authorized by statute (depending on the nature of the information at issue), might provide greater protections to corporate secrets.