To Prosecute or Not?

To Prosecute or Not?

One of the classic conflicts in incident response in private organizations is related to the decision of whether to prosecute or not. (In government and quasi-government organizations, the decision is usually much simpler. These organizations have much less leeway, and the decision to prosecute is probably made by a law enforcement agency, an officer of the court , or a senior officer of the agency such as the inspector general.) The decision and the decision-making process have been criticized by both industry organizations and law enforcement agencies.

Law enforcement is often viewed by industry as too quick to prosecute. It is seen as being more interested in completing a high-profile case than in assisting the company in recovering its systems, its data, or its money. Many corporations are afraid that an agency will show up, ask which systems were affected, and seize them for examination, even if they are mission-critical.

Second, an investigation means that knowledge of the incident will become public. Companies are nervous that embarrassing details about a sensitive incident might leak (or even be released by a zealous prosecutor) and might influence public opinion (and therefore market position).

On the other hand, it is a popular view among many the government and law enforcement agencies that corporations are deliberately hiding security-related incidents, even if regulations or statute require them to be reported . Some authorities have stated that large corporations often hire outside investigators and contract the work through the corporate general counsel in an attempt to protect the knowledge of the incident. If subpoenaed, the corporation and the outside team can both claim attorney-client privilege and refuse to discuss the details of the incident.

The actual truth is somewhere in between. Many senior law enforcement officials will acknowledge that they have a reputation as being heavy-handed in their conduct of investigations and that they traditionally have not been overly concerned with the business interests of the victim. In many cases, it is possible now to conduct most of the investigation without revealing the name of the affected company. Many agencies will allow the company to release the initial details or will conduct a joint press release.

Critical servers are seldom seized for a number of reasons. The investigators realize the importance of the computers to the operation of the business. Investigators might not have the knowledge to properly examine the systems (either online or off ) and might ask for assistance from the company. The systems might be so large (for example, a RAID array on a transaction processing system) that it is not feasible to examine them offline. Legal precedents have evolved to the point that backups and copies of the affected systems (or even part of the systems) meet the "best evidence" criteria and are admissible . ^[6] Some of these issues are discussed in Chapters 8 and 9.

^[6] See Chapter 9 for more discussion about performing forensics on large servers.

Although the original evidence is clearly preferred, when it is unavailable, a copy is often sufficient. Corporations are also realizing the value of law enforcement assistance. In a major incident (especially one large enough to damage the company's reputation), it is likely that the details will eventually leak out. It might be preferable to release the details in a controlled fashion and to make a point that the incident is under investigation ( especially if it looks like an arrest and prosecution are likely).

It might also be appropriate to prosecute offenders to make an example of them. Although the legal and social theory of criminal prosecution is to punish the criminal, companies might also view it as deterrence. If a company has a reputation for tenaciously pursuing people who commit computer crimes, the criminals might choose either to not attack the system or to attack another company instead. For example, it might be a standard, if unwritten, policy for a bank to aggressively pursue and prosecute armed robbers without considering the amount of the crime. In response, in most areas of the world, armed robbery against large corporations is relatively uncommon, and most similar organizations have similar "best practices" of protection (for example, teller cages and alarm systems).