According to industry guidance such as NIST SP 800-61, under which circumstance is it generally appropriate for an incident response team to notify law enforcement about a cybersecurity incident?
Immediately after any intrusion-detection alert, regardless of severity or scope.
Only if the organization lacks an internal CSIRT and cannot perform its own investigation.
When analysis shows the incident involves criminal activity or legal or regulatory obligations require external reporting.
Only after the organization publicly discloses the breach in a press release.
Law enforcement should be engaged when the facts suggest criminal activity (for example, data theft, extortion, or network intrusion that crosses jurisdictions) or when statutes or regulations mandate external reporting. This ensures that any potential crime is investigated, preserves admissible evidence, and keeps the organization in regulatory compliance. Routine security events or purely internal matters do not automatically require police involvement, and premature disclosure can hamper containment or create jurisdictional conflicts. Options B, C, and D each describe situations that either lack evidence of criminality or defer unnecessarily and therefore are not appropriate triggers for contacting law enforcement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What criteria should be used to determine if law enforcement needs to be notified during a cybersecurity incident?
Open an interactive chat with Bash
What are some best practices for responding to cybersecurity incidents without immediately notifying law enforcement?
Open an interactive chat with Bash
What are the potential consequences of notifying law enforcement during every cybersecurity incident?