He also recommended that a company think about public relations issues involved with the breach. "If it is a private breach, the company may not want to report it because of the possibility of leaks, not from the FBI, but possibly from other entities." Delaying notification may also be critical to the investigation, and can help the company in determining the source of the breach.

Nicole Friedlander, special counsel at the New York City law firm of Sullivan & Cromwell LLP, said that other considerations around reporting the breach include the type of information affected (such as personal identifiable information or personal health information), and whether the breach will generally affect public health or safety.

Calling in the feds

Richard Jacobs, assistant special agent in charge of the cyber branch in New York for the FBI said they would like to be notified any time a company suffers a breach. "We would like a phone call," he said. "Your breach might be connected to a dozen others and help us paint a picture of the criminals. The FBI's role is to get the bad guys out from behind the keyboard and into jail. If we don't neutralize those responsible, they will come back and attack again and again."

Jacobs explained that the FBI has information not available to the public, but they have provided it in certain cases on a need-to-know basis to help companies in the defense of their networks. He also said when organizations announce they have been the subject of a breach, it bodes well for those who can say up front they are working with the FBI to identify the source of the intrusion.

He stressed that reporting a breach to the FBI is not the same as reporting it to federal regulators, who must be notified for certain types of breaches. "When you speak with the FBI — we are not responsible for turning information over to the regulators," he added. Hospitals, financial institutions and other businesses must report cyber attacks or data breaches to federal regulators within 30 days. In some cases, because of the nature of the attack, the FBI may issue a company a "safe harbor" letter, which can give a company a little more time to report the breach to regulators and protect the integrity of the investigation.

Jacobs said the FBI and Secret Service frequently investigate cyber breaches. Sometimes they work together and sometimes they investigate independently. He recommended contacting the FBI first, but stressed that if a company has relationships with other agencies, they should contact whoever they feel comfortable working with on the incident.

Benefit of expertise

"When the FBI first responds — our job is to determine who is behind the breach," he explained. "We want indicators of the breach — things like copies of the malware, the IP addresses involved and what activities led up to the breach. We are often able to attribute an attack to a specific entity because of this information and may already have data on the perpetrators."

Jacobs also said that the FBI may be familiar with the group involved in the attack and can frequently tell a company what kinds of indicators to look for as part of the investigation.

There are also issues companies should think about pre-breach. According to Rose, "There should be a company response plan, inside counsel, outside counsel, who will make the decision to report the incident, who the company will report it to, and who will liaison with the FBI or Secret Service. Post-breach these things move very fast, so you need to know what to do before it happens."

All of the experts agreed there is a high probability that most companies will be breached and they need to take steps now to mitigate the damage when one occurs.

Related: Navigating the cyberinsurance maze: Inside the obligations and caveats