Guilty: A Criminal Conviction For One CISO Has Consequence For Others
If you work in the security sector you’ll almost certainly already know that last month, Uber’s former chief of security was found guilty of covering up a data breach in 2016. Joe Sullivan is now on bail in California awaiting his sentencing hearing, but could face up to eight years in jail for his actions.
Experts believe the case could have serious repercussions for how security professionals and their companies handle data breaches, further exacerbate the skills crisis in cybersecurity, and raise the stakes for CISOs to be made easy scapegoats under these circumstances.
Others have been shocked by the decision. Author and former New York Times reporter Nicole Perlroth said on Twitter: “dozens of CISOs have told me they would have made the same call he did”.
The 2016 Uber Breach
According to the case, Sullivan learned in 2016 that hackers had secured access to personal information associated with 57 million of Uber’s riders and drivers. He directed them to the company’s bug bounty programme, which offers financial rewards to those who find security vulnerabilities. The hackers were paid $100,000 and made to sign non-disclosure agreements (NDAs). Uber did not disclose the incident to its customers or inform the US regulator, the Federal Trade Commission, which was already investigating the company over its privacy and security practices at the time.
The incident came to light in 2017 when new CEO Dara Khosrowshahi fired Sullivan and paid a fine of $148m because it had been slow to reveal the hack.
Sullivan originally pleaded not guilty and claimed he had internal legal advice that there was no need to disclose the hack if the culprits were identified and they’d agreed to delete the data. One Uber lawyer testified that Sullivan had changed the NDAs to falsely claim the hack was ‘white-hat research’. And it was this decision to cover up the data breach and obstruct the investigation the regulator was already conducting, that landed him in the dock.
Lessons To Learn
Of course it’s never a good idea to mislead regulators or misdirect an investigation. As a former Department of Justice attorney, Sullivan should have understood his legal obligations better than most. But it does highlight the fear that the role of the CISO is becoming something of a poisoned chalice in today’s high stakes environment. The number of data breaches were at an all time high last year, after all.
CISOs are under intense pressure to manage more frequent cyber attacks, against a backdrop of the loss of valuable customer information, criticism in the public eye, executive pressure, and regulatory obligations. And while criminal proceedings aren’t commonplace, data breaches can lead to fines and penalties, loss of reputation and civil litigation (particularly in the US). Following a hack of the software company SolarWinds Corp in 2020, investors filed a class action against the company and its executive team, including the security chief. Research by Norton Rose Fulbright found cybersecurity and data protection are expected to be among the top drivers of new legal disputes in the future.
It’s true that CISOs shouldn’t be used as a scapegoat in the event of data breaches. But they shouldn’t fear criminal prosecution in the UK as long as they don’t seek to cover up incidents. The case shows how companies must do the right thing when they have a data breach.
The rules around breach reporting under the UK GDPR are clear and straightforward, and you can also ask the regulator for advice if you’re unsure. What Sullivan’s case does highlight is the importance for all companies to document the decisions made by whom and why, when a breach occurs.
Organisations should have a clear plan about how the company will respond if an incident does happen, which has been approved by the executive team (including those offering legal advice). CISOs also need a proper budget and buy-in from the wider team, so that they have the resources necessary to act responsibly and effectively, rather than be overly cautious about making the wrong decision.
Nigel Jones is the co-founder of The Privacy Compliance Hub
You Might Also Read:
Wanted - A New Generation Of Cyber Security Leaders: