Guilty: A Criminal Conviction For One CISO Has Consequence For Others

If you work in the security sector you’ll almost certainly already know that last month, Uber’s former chief of security was found guilty of covering up a data breach in 2016. Joe Sullivan is now on bail in California awaiting his sentencing hearing, but could face up to eight years in jail for his actions. 

Experts believe the case could have serious repercussions for how security professionals and their companies handle data breaches, further exacerbate the skills crisis in cybersecurity, and raise the stakes for CISOs to be made easy scapegoats under these circumstances.

Others have been shocked by the decision. Author and former New York Times reporter Nicole Perlroth said on Twitter: “dozens of CISOs have told me they would have made the same call he did”. 

The 2016 Uber Breach

According to the case, Sullivan learned in 2016 that hackers had secured access to personal information associated with 57 million of Uber’s riders and drivers. He directed them to the company’s bug bounty programme, which offers financial rewards to those who find security vulnerabilities. The hackers were paid $100,000 and made to sign non-disclosure agreements (NDAs). Uber did not disclose the incident to its customers or inform the US regulator, the Federal Trade Commission, which was already investigating the company over its privacy and security practices at the time. 

The incident came to light in 2017 when new CEO Dara Khosrowshahi fired Sullivan and paid a fine of $148m because it had been slow to reveal the hack. 

Sullivan originally pleaded not guilty and claimed he had internal legal advice that there was no need to disclose the hack if the culprits were identified and they’d agreed to delete the data. One Uber lawyer testified that Sullivan had changed the NDAs to falsely claim the hack was ‘white-hat research’. And it was this decision to cover up the data breach and obstruct the investigation the regulator was already conducting, that landed him in the dock. 

Lessons To Learn

Of course it’s never a good idea to mislead regulators or misdirect an investigation. As a former Department of Justice attorney, Sullivan should have understood his legal obligations better than most. But it does highlight the fear that the role of the CISO is becoming something of a poisoned chalice in today’s high stakes environment. The number of data breaches were at an all time high last year, after all. 

CISOs are under intense pressure to manage more frequent cyber attacks, against a backdrop of the loss of valuable customer information, criticism in the public eye, executive pressure, and regulatory obligations. And while criminal proceedings aren’t commonplace, data breaches can lead to fines and penalties, loss of reputation and civil litigation (particularly in the US). Following a hack of the software company SolarWinds Corp in 2020, investors filed a class action against the company and its executive team, including the security chief. Research by Norton Rose Fulbright found cybersecurity and data protection are expected to be among the top drivers of new legal disputes in the future. 

It’s true that CISOs shouldn’t be used as a scapegoat in the event of data breaches. But they shouldn’t fear criminal prosecution in the UK as long as they don’t seek to cover up incidents. The case shows how companies must do the right thing when they have a data breach.

The rules around breach reporting under the UK GDPR are clear and straightforward, and you can also ask the regulator for advice if you’re unsure. What Sullivan’s case does highlight is the importance for all companies to document the decisions made by whom and why, when a breach occurs.

Organisations should have a clear plan about how the company will respond if an incident does happen, which has been approved by the executive team (including those offering legal advice). CISOs also need a proper budget and buy-in from the wider team, so that they have the resources necessary to act responsibly and effectively, rather than be overly cautious about making the wrong decision.  

Nigel Jones is the co-founder of The Privacy Compliance Hub

You Might Also Read: 

Wanted - A New Generation Of Cyber Security Leaders:

 

« International Fraud Awareness Week: Every Individual Has A Part to Play
How Poor Password Hygiene Could Unravel Your Business »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Brookings Institution

Brookings Institution

The Brookings Institution is a nonprofit public policy organization. Cyber security is covered within the various study areas.

Synopsys

Synopsys

Synopsys delivers trusted and comprehensive silicon to systems design solutions, from electronic design automation to silicon IP and system verification and validation.

GuardKnox

GuardKnox

GuardKnox protects the users of connected vehicles against threats that can endanger their physical safety and the safety of their personal information.

Cognni

Cognni

Cognni (formerly Shieldox) will make your InfoSec think like a human, right out of the box, so you can focus on the bigger picture, keeping the information flow safe.

Sabasai

Sabasai

Sabasai specialises in all aspects of insider threat management from training and education to building security frameworks and insider threat programs to on-site risk & vulnerability assessments.

Secura

Secura

The Secura Cyber Security and Intelligence system predicts and prevents security threats by discovering hidden patterns through the meticulous analysis of large amounts of data.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

Data Theorem

Data Theorem

Data Theorem is a leading provider in modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere.

Cybots

Cybots

Cybots is a multinational cyber defence brand founded in Singapore in 2018 to help organizations stay ahead of increasingly sophisticated threats from cyber criminals.

SIXGEN

SIXGEN

SIXGEN provides incident response, operational and penetration testing, red teaming, tool development, cyber training development and continuous monitoring.

Xobee Networks

Xobee Networks

Xobee Networks is a Managed Service Provider of innovative, cost-effective, and cutting-edge technology solutions in California.

Atlas Cloud

Atlas Cloud

Atlas Cloud is a UK-wide provider of managed services based in Newcastle. Our ‘research-led’ approach to IT services helps leaders make better decisions about IT for their businesses.

Turk Telekom

Turk Telekom

Turk Telekom is the first integrated telecommunications operator in Turkey.

Diversified Technical Services Inc. (DTSI)

Diversified Technical Services Inc. (DTSI)

DTSI provides a wide range of technology solutions for Federal Agencies, the Department of Defense, and commerical organizations with capabilities including Cyber Security and DevSecOps.

Leo CybSec

Leo CybSec

Leo CybSec unites a group of Cyber Security experts with 20+ years of collective expertise to help our clients realise and mitigate the cyber challenges and risks facing their business.

Liverton Security

Liverton Security

Liverton Security is a New Zealand-owned cyber security provider offering consultancy and security-related products to government and commercial customers throughout New Zealand.