Guilty: A Criminal Conviction For One CISO Has Consequence For Others

Uploaded on 2022-11-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms

If you work in the security sector you’ll almost certainly already know that last month, Uber’s former chief of security was found guilty of covering up a data breach in 2016. Joe Sullivan is now on bail in California awaiting his sentencing hearing, but could face up to eight years in jail for his actions. 

Experts believe the case could have serious repercussions for how security professionals and their companies handle data breaches, further exacerbate the skills crisis in cybersecurity, and raise the stakes for CISOs to be made easy scapegoats under these circumstances.

Others have been shocked by the decision. Author and former New York Times reporter Nicole Perlroth said on Twitter: “dozens of CISOs have told me they would have made the same call he did”. 

The 2016 Uber Breach

According to the case, Sullivan learned in 2016 that hackers had secured access to personal information associated with 57 million of Uber’s riders and drivers. He directed them to the company’s bug bounty programme, which offers financial rewards to those who find security vulnerabilities. The hackers were paid $100,000 and made to sign non-disclosure agreements (NDAs). Uber did not disclose the incident to its customers or inform the US regulator, the Federal Trade Commission, which was already investigating the company over its privacy and security practices at the time. 

The incident came to light in 2017 when new CEO Dara Khosrowshahi fired Sullivan and paid a fine of $148m because it had been slow to reveal the hack. 

Sullivan originally pleaded not guilty and claimed he had internal legal advice that there was no need to disclose the hack if the culprits were identified and they’d agreed to delete the data. One Uber lawyer testified that Sullivan had changed the NDAs to falsely claim the hack was ‘white-hat research’. And it was this decision to cover up the data breach and obstruct the investigation the regulator was already conducting, that landed him in the dock. 

Lessons To Learn

Of course it’s never a good idea to mislead regulators or misdirect an investigation. As a former Department of Justice attorney, Sullivan should have understood his legal obligations better than most. But it does highlight the fear that the role of the CISO is becoming something of a poisoned chalice in today’s high stakes environment. The number of data breaches were at an all time high last year, after all. 

CISOs are under intense pressure to manage more frequent cyber attacks, against a backdrop of the loss of valuable customer information, criticism in the public eye, executive pressure, and regulatory obligations. And while criminal proceedings aren’t commonplace, data breaches can lead to fines and penalties, loss of reputation and civil litigation (particularly in the US). Following a hack of the software company SolarWinds Corp in 2020, investors filed a class action against the company and its executive team, including the security chief. Research by Norton Rose Fulbright found cybersecurity and data protection are expected to be among the top drivers of new legal disputes in the future. 

It’s true that CISOs shouldn’t be used as a scapegoat in the event of data breaches. But they shouldn’t fear criminal prosecution in the UK as long as they don’t seek to cover up incidents. The case shows how companies must do the right thing when they have a data breach.

The rules around breach reporting under the UK GDPR are clear and straightforward, and you can also ask the regulator for advice if you’re unsure. What Sullivan’s case does highlight is the importance for all companies to document the decisions made by whom and why, when a breach occurs.

Organisations should have a clear plan about how the company will respond if an incident does happen, which has been approved by the executive team (including those offering legal advice). CISOs also need a proper budget and buy-in from the wider team, so that they have the resources necessary to act responsibly and effectively, rather than be overly cautious about making the wrong decision.  

Nigel Jones is the co-founder of The Privacy Compliance Hub

You Might Also Read: 

Wanted - A New Generation Of Cyber Security Leaders:

 

« International Fraud Awareness Week: Every Individual Has A Part to Play
How Poor Password Hygiene Could Unravel Your Business »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Wilson Sonsini Goodrich & Rosati (WSGR)

Wilson Sonsini Goodrich & Rosati (WSGR)

WSGR is the premier provider of legal services to technology, life sciences, and growth enterprises worldwide. Practice areas include cybersecurity and data protection.

8MAN

8MAN

8MAN is a leading Access Rights Management (ARM) solution in Microsoft and virtual server environments.

Zertificon Solutions

Zertificon Solutions

Zertificon is a leader in professional email encryption and data security.

Holm Security

Holm Security

Holm Security are taking vulnerability assessment into the next generation as a cloud service.

Institute for Cyber Security Innovation - Royal Holloway

Institute for Cyber Security Innovation - Royal Holloway

The Institute for Cyber Security Innovation aims to bring together Academia, Industry and Government to be a catalyst for applied research and innovation in cyber security policy and solutions.

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU-ARCC acts as ITU’s cybersecurity hub in the Arab Region localizing and coordinating cybersecurity initiatives.

Trusted Objects

Trusted Objects

Trusted Object's mission is to provide state of the art security solutions and services enabling a strong root of trust for the IoT ecosystem.

ADL Process

ADL Process

ADL Process offer secure data destruction, certified product destruction and responsible electronics recycling services to businesses and institutions.

Query.ai

Query.ai

At Query.AI, we are committed to helping companies unlock the power of their security data, so they are empowered to meet security investigation and response goals while simultaneously reducing costs.

Cyber Bytes Foundation

Cyber Bytes Foundation

Cyber Bytes Foundation exists to establish and sustain a unique Cyber Ecosystem to accelerate the development of a strong Cyber workforce and support community outreach programs.

Cyberfort Group

Cyberfort Group

Cyberfort exists to provide our clients with the peace-of-mind about the security of their data and the compliance of their business.

WhiteJar

WhiteJar

WhiteJar offers an innovative approach to modern cybersecurity needs, empowering Ethical Hackers within its unique crowd platform.

BrainStorm

BrainStorm

BrainStorm Threat Defense takes a new human-focused approach to security awareness that traditional training lacks. It’s a cutting-edge platform to make your users more security savvy.

Onum

Onum

Onum helps security and IT leaders focus on the data that's most important. Gain control of your data by cutting through the noise for deep insights in real time.

Hartman Executive Advisors

Hartman Executive Advisors

Hartman Executive Advisors is an unbiased IT and cyber advisory firm uniquely designed to help mid-market executives maximize their IT investments.

BioID

BioID

BioID are a German company offering deepfake detection, liveness detection, facial authentication & identity verification as a Service.