United States: Ransom Attacks And Breach Incidents: Reporting Cybercrimes To Government Agencies

Given the ongoing rise in ransomware attacks, and the rapid timeline on which cyber incidents typically unfold, it is important for organizations to understand the options victims of cybercrimes have for reporting data breach incidents to government entities.

In the United States, a number of federal agencies are tasked with receiving reports of cyber incidents and investigating.¹

A common way of notifying federal agencies of a cybercrime is through the filing of an IC3 complaint with the Federal Bureau of Investigation (FBI).² The IC3 was established in May 2000 to receive complaints of internet related crime and has received more than 7 million complaints since its inception.³ Its mission is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected cyber enabled criminal activity, and to develop effective alliances with law enforcement and industry partners to help those who report.⁴ A primary function of the IC3 department is to give victims a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations on the Internet.⁵ The IC3 also develops leads and notifies law enforcement agencies at the federal, state, local and international level.⁶

Information sent to the IC3 may also be analyzed and disseminated for investigative and intelligence purposes to various other law enforcement agencies and public awareness.⁷

How it works is that a victim of an Internet Crime, or an agent on behalf of a victim, may file a report with the IC3.⁸ The IC3 defines Internet Crimes as including "any illegal activity involving one or more components of the Internet, such as websites, chat rooms, and/or email. Internet crime involves the use of the Internet to communicate false or fraudulent representations to consumers. These crimes may include, but are not limited to, advance-fee schemes, non-delivery of goods or services, computer hacking, or employment/business opportunity schemes."⁹ The IC3 does not require that the perpetrator of an Internet Crime be in the US in order for a complaint to be filed, rather it is sufficient that the victim, organization, or subject matter of an Internet Crime be located in the US for a report to be filed.¹⁰ Furthermore, the victim does not have to have US citizenship in order for a complaint to be filed.¹¹

The IC3 website provides an electronic complaint form which filers will have to complete in order to submit a report.

(We should note that companies in a small number of industries, for example defense contractors and critical infrastructure, need to consider special reporting requirements. Companies in these industries should consult with counsel that specialize in those reporting processes.)

For general cyber incident law enforcement reports, which is our focus here however, the IC3 complaint form generally requires details such as: (1) personal information regarding the victim (e.g., address, name, and contact information); (2) information regarding the financial transaction associated with the Internet Crime (e.g., account information, transaction date and amount, recipient of the transferred funds); (3) any information that may be obtained regarding the perpetrator (e.g., name, address, contact information, organization information, website, or IP address); and (4) specific details regarding how the criminal incident occurred.¹² Once a complaint is filed, the IC3 will review and research the complaints, including sharing the filed information with any federal, state, or local law enforcement as necessary in order to enact the appropriate criminal, civil, or administrative response.¹³ As the IC3 is not an investigative agency, it will not conduct an investigation on the filed complaint, but rather relies upon the law enforcement agencies it shares the complaint information with to enact further action.¹⁴

Besides IC3 reporting, the US government encourages private sector entities experiencing cyber incidents to report a cyber incident to the local field offices of federal law enforcement agencies, and their sector specific agency.

IC3 recommends that victims collect as much information as possible regarding the criminal activity as it can prove vital in assisting law enforcement agencies in any subsequent investigation. Pertinent evidence in an Internet Crime may include, for example: files showing malicious network traffic, logs; and emails, chat transcripts or other logs reflecting any communications with the threat actor.¹⁵

The IC3 department uses the reports filed along with data from various other government agencies to generate public statements and alerts which help entities guard against ever-evolving cyberthreats.

These advisories, known as FBI Flashes, FBI Private Industry Notifications (PINs) and joint statements are designed to help professionals and system administrators' guard against the malicious actions of cyber actors.¹⁶

The passage of the Cyber Incident Reporting for Critical Infrastructure Act ("CIRCI Act") in March 2022 by the Biden administration has also increased the reporting responsibilities for organizations in "critical infrastructure sectors" with CISA.¹⁷ The Act mandates that owners and operators of designated critical infrastructure sectors report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the victim entity reasonably believes that the cyber incident has occurred.¹⁸ Reportable cyber incidents are defined as events that result in the compromise, unauthorized access, or disruption of information systems or data that are essential to the functioning of the critical infrastructure sector.¹⁹ Critical infrastructure sectors that are subject to the reporting requirements include, but are not limited to energy, financial services, healthcare, telecommunications, and transportation.²⁰

As the CIRCI Act also requires all federal agency to share any cyber incident report with CISA within 24 hours, reports filed with the IC3 department will also automatically be shared with CISA.²¹ Should an organization wish to share an incident report with CISA directly, reports involving unusual cyber activity and/or cyber incidents can be sent to report@cisa.gov or (888) 282-0870.²² The reports should include relevant information about the cyber incident, such as the nature of the event, the systems or data affected, the potential impact on the critical infrastructure sector, and any mitigation measures taken or planned. ²³ After a report has been made, the Act requires CISA, in consultation with relevant stakeholders, to review and update the reporting requirements, definitions, and guidelines periodically to ensure their continued effectiveness in addressing evolving cyber threats.²⁴

With our increasing dependence on technology, the general upward trend of cybercrime attacks will very likely continue to increase in the near future. From 2021 to 2022, while the IC3 noted a 5 percent decrease of reported cybercrime complaints, potential losses from cybercrimes have grown from $6.9 billion in 2021 to more than $10.2 billion in 2022, an approximate 48% increase.²⁵ Companies should plan for how to report to law enforcement, and counsel assisting with the data incident should be prepared to assist with the law enforcement reporting process, including gathering appropriate evidence for reporting.

Footnotes

1. United States Federal Government, "Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government," at p. 1, available at https://www.fbi.gov/file-repository/cyber-incident-reporting-united-message-final.pdf/view (last accessed May 4, 2023).

2. Federal Bureau of Investigation, Internet Crime Complaint Center IC3, available at https://www.ic3.gov/Home (last accessed May 4, 2023).

3. Internet Crime Report 2022, supra n. 1 at p. 4.

4. Id.

5. Internet Crime Complaint Center IC3, supra n. 5, at https://www.ic3.gov/Home/ConsumerAlerts and https://www.ic3.gov/Home/IndustryAlerts (last accessed May 4, 2023)

6. Id.

7. Internet Crime Report 2022, supra n. 1 at p. 4.

8. Internet Crime Complaint Center IC3, supra n. 5, at https://www.ic3.gov/Home/FAQ (last accessed Dec. 14, 2022.

9. Id.

10. Id.

11. Id.

12. Id.

13. Id.

14. Id.

15. Internet Crime Complaint Center IC3 FAQ, supra n. 12.

16. Federal Bureau of Investigation, "Official Alerts & Statements," available at https://www.cisa.gov/stopransomware/official-alerts-statements-fbi (last accessed May 4, 2023)

17. Mar. 15, 2022, Pub. L. 117-103, 136 Stat. 1038

18. Id. at 1043.

19. Id. at 1039 and 1042-44.

20. Id. at 1039 (citing to Presidential Policy Directive 21, available at https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil) (last accessed May 4, 2023)

21. Cybersecurity & Infrastructure Security Agency, "Cyber Incident Reporting for Critical Infrastructure Act of 2022 Fact Sheet," available at https://www.cisa.gov/sites/default/files/2023-01/CIRCIA_07.21.2022_Factsheet_FINAL_508%20c.pdf (last accessed May 4, 2023).

22. Id.

23. Id. at 1039 and 1042-44.

24. Id. at 1040-1042.

25. Internet Crime Report 2022, supra n. 1 at p. 3.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.