Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Reporting Breaches to Law Enforcement: Why Timing Matters

Privacy Attorney Kirk Nahra Discusses Important Considerations
Privacy attorney Kirk Nahra of Wiley Rein LLP

The timing of reporting breaches to law enforcement is important because it could slow down an organization's incident response and internal investigation, says privacy attorney Kirk Nahra.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

"How you work with law enforcement on timing is part of the puzzle of what you have to deal with ... as a company," he says. "Your obligations as the company don't necessarily slow down because law enforcement is involved." But incident response plans can be impacted, for example, "if law enforcement says 'we don't want you to do something'" that could impact evidence.

Sorting Out Obligations

Even when law enforcement is working on a breach case, entities still have their own internal investigation issues to consider, he says.

"Often organizations have to do their own investigations in trying to figure out what their obligations are in connection with their other requirements, such as whether they have to notify a specific regulator ... or individuals ... or their own business partners," he says. "Law enforcement's speed - or lack of speed - is really an independent variable."

Working with law enforcement is potentially helpful to organizations if the entity eventually wants to prosecute a case, or recover stolen data assets, he notes. "You have to factor that in," he says. "You try to work with law enforcement as one component to your overall breach response."

In a video interview at Information Security Media Group's recent Healthcare Security Summit in New York, Nahra also discusses:

  • Other pros and cons for reporting breaches to law enforcement;
  • Factors involved in decisions to report to law enforcement breaches that involve external actors versus insiders;
  • The tension involved in deciding to report security incidents to law enforcement while an entity is still determining whether to also report the incident to the Department of Health and Human Services' Office for Civil Rights.

As a partner at the law firm Wiley Rein LLP, Nahra specializes in privacy and information security issues, as well as other healthcare, insurance fraud and compliance issues. He's a member of the board of directors of the International Association of Privacy Professionals and was co-chair of the Confidentiality, Privacy and Security Workgroup, a former panel of government and private-sector privacy and security experts advising the American Health Information Community.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.