DOJ Official Calls for Cyber Cooperation, Less Focus on the ‘Wrong Type' of Risks

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Yin Wilczek

May 19 — Assistant Attorney General Leslie Caldwell May 19 urged companies to report actual or suspected data breaches to law enforcement agencies, even those that may be caused by inadequate safeguards.

The Justice Department is not looking to investigate or prosecute hacking victims, assured Caldwell, who heads the DOJ's Criminal Division.

“Rather, we are seeking to partner with the private sector to prevent the breaches in the first place,” she said, adding that toward that end, companies should report the breaches and cooperate in both the investigation and prosecution of the guilty parties.

Addressing a compliance conference in Washington, Caldwell also warned companies against focusing on “the wrong type of risk” in implementing their compliance programs.

“We have repeatedly seen corporations target the risk of regulatory or law enforcement exposure of institutional and employee misconduct, rather than the risk of the misconduct itself,” she said. “The result: compliance programs are too often behind the curve, effectively guarding against yesterday’s corporate problem but failing to identify and prevent tomorrow’s scandals.”

Greater Cooperation 

In recent speeches, DOJ officials have urged greater cooperation between the government and private industry to combat hackers.

The DOJ's Cybersecurity Unit recently issued a “best practices” guide that encourages companies to establish ties with law enforcement authorities—including the FBI and U.S. Secret Service—even before an incident occurs.

The unit also has reached out to the private sector to forge better relationships, Caldwell said in her speech. The unit has engaged in “targeted cybersecurity consultations” with law firms, computer security specialists, industry groups and trade associations, and financial institutions and other organizations, she said.

As to regulatory risks, Caldwell told the audience that a strong compliance program aims to deter employee misconduct, whether that misconduct poses “obvious regulatory risk.”

“In designing compliance programs, companies would be wise to examine all of their lines of business—including those not subject to regulation—and determine where specific risks are and how best to control or mitigate them,” she said. “It is also critical that compliance programs take into account the operational realities and risks attendant to the particular company’s business, and are designed to prevent and detect particular types of misconduct likely to occur in a particular line of business.”

As an example, she said companies exposed to potential Foreign Corrupt Practices Act violations must use different internal controls than firms with less exposure.

Hallmarks of Good Program 

Among other hallmarks, Caldwell said an effective compliance program includes:

• “strong, explicit and visible support” from senior management;

• adequate funding and resources;

• an effective process for investigating and documenting allegations of wrongdoing;

• an effective internal reporting system; and

• the willingness to act against noncompliant third parties with which the company interacts.


Caldwell also warned that in assessing the adequacy of a compliance program, the DOJ will look not only at the company's written policies and procedures, but also at “other messages conveyed to employees,” including through telephone calls, e-mails, in-person meetings and pay structures.

The DOJ's overall message is simple, Caldwell continued. We “expect corporate entities to take compliance risk as seriously as they take other business-related risks.”

To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Ryan Tuck at

The text of Caldwell's speech is available at


Request Corporate on Bloomberg Law