A banner, however, is not the only means of obtaining legally valid consent. Computer
user agreements, workplace policies, and personnel training may also be used to obtain legally
sufficient user consent to monitoring. Organizations should obtain written acknowledgement
from their personnel of having signed such agreements or received such training. Doing so will
provide an organization with ready proof that they have met legal requirements for conducting
network monitoring.
Any means of obtaining legally sufficient consent should notify users that their use of the
system constitutes consent to the interception of their communications and that the results of
2
such monitoring may be disclosed to others, including law enforcement. If an organization is a
government entity (e.g., a federal, state, or local agency or a state university) or a private entity
acting as an instrument or agent of the government, its actions may implicate the Fourth
Amendment. Consequently, any notice on the system of such an entity or organization should
also inform users of their diminished expectation of privacy for communications on the network.
E. Ensure Your Legal Counsel is Familiar with Technology and Cyber Incident
Management to Reduce Response Time During an Incident
Cyber incidents can raise unique legal questions. An organization faced with decisions
about how it interacts with government agents, the types of preventative technologies it can
lawfully use, its obligation to report the loss of customer information, and its potential liability
for taking specific remedial measures (or failing to do so) will benefit from obtaining legal
guidance from attorneys who are conversant with technology and knowledgeable about relevant
laws (e.g., the Computer Fraud and Abuse Act (18 U.S.C. § 1030), electronic surveillance, and
communications privacy laws). Legal counsel that is accustomed to addressing these types of
issues that are often associated with cyber incidents will be better prepared to provide a victim
organization with timely, accurate advice.
Many private organizations retain outside counsel who specialize in legal questions
associated with data breaches while others find such cyber issues are common enough that they
have their own cyber-savvy attorneys on staff in their General Counsel’s offices. Having ready
access to advice from lawyers well acquainted with cyber incident response can speed an
organization’s decision making and help ensure that a victim organization’s incident response
activities remain on firm legal footing.
2
More guidance on banners, including a model banners, can be found in our manual on searching and seizing
electronic evidence and in a 2009 legal opinion prepared by the Department of Justice’s Office of Legal Counsel.
See Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (3d ed. 2009),
available at http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf; and Stephen G. Bradbury, Legal
Issues Relating to the Testing, Use, and Deployment of an Intrusion-Detection System to Protect Unclassified
Computer Networks in the Executive Branch, 33 Op. Off. Legal Counsel 1 (2009), available at
http://www.justice.gov/sites/default/files/olc/opinions/2009/01/31/e2-issues.pdf.
Page 4 of 15