Guilty: A Criminal Conviction For One CISO Has Consequence For Others

Uploaded on 2022-11-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms

If you work in the security sector you’ll almost certainly already know that last month, Uber’s former chief of security was found guilty of covering up a data breach in 2016. Joe Sullivan is now on bail in California awaiting his sentencing hearing, but could face up to eight years in jail for his actions. 

Experts believe the case could have serious repercussions for how security professionals and their companies handle data breaches, further exacerbate the skills crisis in cybersecurity, and raise the stakes for CISOs to be made easy scapegoats under these circumstances.

Others have been shocked by the decision. Author and former New York Times reporter Nicole Perlroth said on Twitter: “dozens of CISOs have told me they would have made the same call he did”. 

The 2016 Uber Breach

According to the case, Sullivan learned in 2016 that hackers had secured access to personal information associated with 57 million of Uber’s riders and drivers. He directed them to the company’s bug bounty programme, which offers financial rewards to those who find security vulnerabilities. The hackers were paid $100,000 and made to sign non-disclosure agreements (NDAs). Uber did not disclose the incident to its customers or inform the US regulator, the Federal Trade Commission, which was already investigating the company over its privacy and security practices at the time. 

The incident came to light in 2017 when new CEO Dara Khosrowshahi fired Sullivan and paid a fine of $148m because it had been slow to reveal the hack. 

Sullivan originally pleaded not guilty and claimed he had internal legal advice that there was no need to disclose the hack if the culprits were identified and they’d agreed to delete the data. One Uber lawyer testified that Sullivan had changed the NDAs to falsely claim the hack was ‘white-hat research’. And it was this decision to cover up the data breach and obstruct the investigation the regulator was already conducting, that landed him in the dock. 

Lessons To Learn

Of course it’s never a good idea to mislead regulators or misdirect an investigation. As a former Department of Justice attorney, Sullivan should have understood his legal obligations better than most. But it does highlight the fear that the role of the CISO is becoming something of a poisoned chalice in today’s high stakes environment. The number of data breaches were at an all time high last year, after all. 

CISOs are under intense pressure to manage more frequent cyber attacks, against a backdrop of the loss of valuable customer information, criticism in the public eye, executive pressure, and regulatory obligations. And while criminal proceedings aren’t commonplace, data breaches can lead to fines and penalties, loss of reputation and civil litigation (particularly in the US). Following a hack of the software company SolarWinds Corp in 2020, investors filed a class action against the company and its executive team, including the security chief. Research by Norton Rose Fulbright found cybersecurity and data protection are expected to be among the top drivers of new legal disputes in the future. 

It’s true that CISOs shouldn’t be used as a scapegoat in the event of data breaches. But they shouldn’t fear criminal prosecution in the UK as long as they don’t seek to cover up incidents. The case shows how companies must do the right thing when they have a data breach.

The rules around breach reporting under the UK GDPR are clear and straightforward, and you can also ask the regulator for advice if you’re unsure. What Sullivan’s case does highlight is the importance for all companies to document the decisions made by whom and why, when a breach occurs.

Organisations should have a clear plan about how the company will respond if an incident does happen, which has been approved by the executive team (including those offering legal advice). CISOs also need a proper budget and buy-in from the wider team, so that they have the resources necessary to act responsibly and effectively, rather than be overly cautious about making the wrong decision.  

Nigel Jones is the co-founder of The Privacy Compliance Hub

You Might Also Read: 

Wanted - A New Generation Of Cyber Security Leaders:

 

« International Fraud Awareness Week: Every Individual Has A Part to Play
How Poor Password Hygiene Could Unravel Your Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

TrustedSec

TrustedSec

TrustedSec is an information security consulting services, providing tailored solutions and services for small, mid, and large businesses.

Lookout

Lookout

Lookout is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack.

Fasoo

Fasoo

Fasoo provides data-centric security to protect data within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities.

Careers in Cyber Security (CiCS)

Careers in Cyber Security (CiCS)

CareersinCyberSecurity is a leading global job board and career resource for Cyber Security, IT Audit, Technology Risk and Data Protection professionals.

BooleBox

BooleBox

Boolebox is the innovative suite of enterprise data protection applications that preserve the integrity and confidentiality of data from any unauthorized access.

Checksum Consultancy

Checksum Consultancy

Checksum Consultancy specializes in Information security, Risk management, and IT governance.

Phy-Cy.X Security Group

Phy-Cy.X Security Group

Phy-Cy.X specialize in the “Physics” of Information Security through both physical and cyber domains. We are not an IT company, we ARE an Information Security company.

Xopero Software

Xopero Software

Xopero Software develops a comprehensive range of professional tools for protecting and restoring critical business data.

Citadel Cyber Security

Citadel Cyber Security

Citadel is a leading 'One Stop Shop' provider of consulting services in cyber and information security. Our experts operate in hundreds of business organizations in Israel and around the world.

ThreatLocker

ThreatLocker

The ThreatLocker Platform provides a Zero Trust security solution that offers a unified approach to protecting users, devices, and networks against the exploitation of zero day vulnerabilities.

Locuz

Locuz

At Locuz, we’ve made it our mission to help businesses like yours create an actionable digital strategy.

Trickest

Trickest

Trickest enables Enterprises, MSSPs, and Ethical Hackers to build automated offensive security workflows from prototype to production.

Ofcom

Ofcom

Ofcom is the UK's communications regulator. We regulate the TV, radio and video on demand sectors, fixed line telecoms, mobiles, postal services, plus the airwaves over which wireless devices operate.

The Cyber Scheme

The Cyber Scheme

The Cyber Scheme provides NCSC certified and assured assessments, training and career support for security testers & technical cyber professionals.

Adaptiva

Adaptiva

Adaptiva, the autonomous endpoint management company, delivers the fastest way to patch and manage endpoints at scale.

C5 Technology

C5 Technology

C5 Technology specialises in the provision of networking, security, and infrastructure services to enterprises and government agencies.