Guilty verdict in Uber breach case makes personal liability real for CISOs
Yesterday, a federal jury returned a guilty verdict to Joe Sullivan, the former CSO, for “obstructing Federal Trade Commission proceedings and misrepresenting a felony in connection with the attempted cover-up of a hack of 2016 at Uber” according to a notice published by the Department of Justice (DOJ).
U.S. Attorney Stephanie Hinds, after learning of the verdict, warned companies that store data of their responsibility to “protect that data and alert customers and appropriate authorities when that data is stolen by hackers.” Sullivan worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught. We will not tolerate the withholding of material information from the public by corporate executives more concerned with protecting their reputation and that of their employers than protecting users. If such conduct violates federal law, it will be prosecuted. »
Sullivan’s attorney, David Angeli, told The New York Times, “While we clearly disagree with the jury’s verdict, we appreciate their dedication and effort in this case.” He continued, “Mr. Sullivan’s sole purpose – in this incident and throughout his distinguished career – has been to keep people’s personal data safe on the Internet.
Consequences of the Uber verdict for CISOs
However, the sentencing did not relate to the offences. Charges related to the breach itself had been dropped. Rather, the trial and sentencing focused on Sullivan’s decisions regarding his discussions with the FTC and his failure to report a criminal crime.
His apparent concealment from his fellow executives, as alleged in the testimony, testified to his knowledge that a crime had been committed. Additionally, the DOJ made it clear that the two perpetrators of the 2016 data breach at Uber were later arrested and convicted of committing cyber crimes and not participating in bug bounty programs, such as l Sullivan alleges. Both pleaded guilty on October 30, 2019 to computer fraud conspiracy charges and are awaiting sentencing. “The separate guilty pleas filed by the hackers demonstrate that after Sullivan helped cover up the Uber hack, the hackers were able to make a further intrusion into another corporate entity – Lynda.com – and also attempt to buy these data,” the DOJ said in its notice.
That said, Sullivan’s lawsuit was as much about his personal accountability as it was about creating a sea change in accountability. Those responsible for the security of a company and its data are now wondering at what point in a breach will they be responsible for its consequences.
In the future, CSOs and CISOs may disagree with their senior management and peer groups when a strategic decision is made that puts the business at risk, even a mitigated risk. As every CSO/CISO knows, there is no such thing as 100% security. Did this verdict open the door for victims of a corporate data breach to sue not only the company they trusted with their information, but also the executives who bear that responsibility? Whether this is a welcome turn of events or a shock to the system will play out in the months to come as the legal teams of companies that hold personal data assess their positions in light of this verdict.
Where does the personal responsibility of CISOs begin and end?
Another issue that needs to be discussed in corporate C-suites is how far should management’s chain of responsibility extend and what are the HR and legal guidelines to their leaders regarding personal liability and their need to obtain personal liability insurance.
David Shackleford told the Washington Post, “Personal accountability for corporate decisions with input from management stakeholders is new and somewhat uncharted territory for security leaders. I fear this will lead to a lack of interest in our field and increased skepticism towards infosec in general. Shackleford’s sighting took place in the courtroom. Uber’s management team referenced the stories told by Sullivan, while clarifying that Uber had distanced itself from Sullivan’s decisions. And more clearly, Uber’s legal team was protecting Uber, not Sullivan.
While many may view the full responsibility a CISO takes on when taking on the job as something new and a negative job attribute, the ramifications go beyond the individual and seep into their teams. infosec and security.
Document, document, document
The main lesson to be drawn from this judgment is the need to document decisions, even the most minute decisions, and to be ready to defend the decision, not only internally, but with regulators and inspectors. Such documentation can keep the CISO out of the courtroom when dealing with the DOJ, FTC, and Securities and Exchange Commission (SEC). With proposed adjustments to SEC rules on cybersecurity risk management, strategy, governance and incident disclosure, public companies and defendants being asked to defend their operational decisions, we may well evolve to expect each company to provide a “state of cybersecurity” report. at a regular pace. Edward Amoroso in his cartoon series Charlie Ciso elegantly captured this aspect when he depicted CISOs complying with new reporting requirements and overwhelming the system.
What is clear, the role of the CISO has now changed and personal responsibility is a reality.
Copyright © 2022 IDG Communications, Inc.