Guilty: A Criminal Conviction For One CISO Has Consequence For Others

Uploaded on 2022-11-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms

If you work in the security sector you’ll almost certainly already know that last month, Uber’s former chief of security was found guilty of covering up a data breach in 2016. Joe Sullivan is now on bail in California awaiting his sentencing hearing, but could face up to eight years in jail for his actions. 

Experts believe the case could have serious repercussions for how security professionals and their companies handle data breaches, further exacerbate the skills crisis in cybersecurity, and raise the stakes for CISOs to be made easy scapegoats under these circumstances.

Others have been shocked by the decision. Author and former New York Times reporter Nicole Perlroth said on Twitter: “dozens of CISOs have told me they would have made the same call he did”. 

The 2016 Uber Breach

According to the case, Sullivan learned in 2016 that hackers had secured access to personal information associated with 57 million of Uber’s riders and drivers. He directed them to the company’s bug bounty programme, which offers financial rewards to those who find security vulnerabilities. The hackers were paid $100,000 and made to sign non-disclosure agreements (NDAs). Uber did not disclose the incident to its customers or inform the US regulator, the Federal Trade Commission, which was already investigating the company over its privacy and security practices at the time. 

The incident came to light in 2017 when new CEO Dara Khosrowshahi fired Sullivan and paid a fine of $148m because it had been slow to reveal the hack. 

Sullivan originally pleaded not guilty and claimed he had internal legal advice that there was no need to disclose the hack if the culprits were identified and they’d agreed to delete the data. One Uber lawyer testified that Sullivan had changed the NDAs to falsely claim the hack was ‘white-hat research’. And it was this decision to cover up the data breach and obstruct the investigation the regulator was already conducting, that landed him in the dock. 

Lessons To Learn

Of course it’s never a good idea to mislead regulators or misdirect an investigation. As a former Department of Justice attorney, Sullivan should have understood his legal obligations better than most. But it does highlight the fear that the role of the CISO is becoming something of a poisoned chalice in today’s high stakes environment. The number of data breaches were at an all time high last year, after all. 

CISOs are under intense pressure to manage more frequent cyber attacks, against a backdrop of the loss of valuable customer information, criticism in the public eye, executive pressure, and regulatory obligations. And while criminal proceedings aren’t commonplace, data breaches can lead to fines and penalties, loss of reputation and civil litigation (particularly in the US). Following a hack of the software company SolarWinds Corp in 2020, investors filed a class action against the company and its executive team, including the security chief. Research by Norton Rose Fulbright found cybersecurity and data protection are expected to be among the top drivers of new legal disputes in the future. 

It’s true that CISOs shouldn’t be used as a scapegoat in the event of data breaches. But they shouldn’t fear criminal prosecution in the UK as long as they don’t seek to cover up incidents. The case shows how companies must do the right thing when they have a data breach.

The rules around breach reporting under the UK GDPR are clear and straightforward, and you can also ask the regulator for advice if you’re unsure. What Sullivan’s case does highlight is the importance for all companies to document the decisions made by whom and why, when a breach occurs.

Organisations should have a clear plan about how the company will respond if an incident does happen, which has been approved by the executive team (including those offering legal advice). CISOs also need a proper budget and buy-in from the wider team, so that they have the resources necessary to act responsibly and effectively, rather than be overly cautious about making the wrong decision.  

Nigel Jones is the co-founder of The Privacy Compliance Hub

You Might Also Read: 

Wanted - A New Generation Of Cyber Security Leaders:

 

« International Fraud Awareness Week: Every Individual Has A Part to Play
How Poor Password Hygiene Could Unravel Your Business »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

ASU Online - Information Technology Program

ASU Online - Information Technology Program

The Information Technology program at ASU Online provides you with the expertise to design, select, implement and administer computer-based information solutions.

Orange Cyberdefense

Orange Cyberdefense

Orange Cyberdefense is the expert cybersecurity business unit of the Orange Group, providing managed security, managed threat detection & response services to organizations around the globe.

SparkCognition

SparkCognition

SparkCognition’s AI-powered solutions enhance cybersecurity, identify and prevent equipment failures before they happen, and provide prescriptive intelligence for maintaining your most critical assets

Vehere

Vehere

Vehere specialises in mission critical signals aquisition and analytics platform and cyber defence systems.

Solidified

Solidified

Solidified is the largest audit platform for smart contracts. Our community has the highest concentration of top Blockchain security specialists and best-in-class code auditors.

Critical Start

Critical Start

Critical Start provides Managed Detection and Response services, endpoint security, threat intelligence, penetration testing, risk assessments, and incident response.

United Network Technologies

United Network Technologies

United Network Technologies is a leading Managed Services Provider, distributor and developer of specialised cyber security components and technologies.

LogicalTrust

LogicalTrust

LogicalTrust security testing specialists find the weakest points in your company and show you how to fix them step-by-step, as well as how to improve your security.

Udacity

Udacity

Udacity's mission is to train the world’s workforce in the careers of the future. Our programs range from beginner to expert levels and deliver the hands-on skills for real-world expertise.

European Center for CyberSecurity in Aviation (ECCSA)

European Center for CyberSecurity in Aviation (ECCSA)

ECCSA is a cooperative partnership within the aviation community to better understand emerging cybersecurity risks in aviation and provide collective support in dealing with cybersecurity incidents.

Sitehop

Sitehop

Sitehop is a cybersecurity technology company developing and supplying FPGA hardware-enforced cyber security solutions for networks.

CYMAR

CYMAR

CYMAR The “CYBER” Smart Solution to offer sustainability and bring resilience to Global SMART Terminals and protect the supply chain of the World’s economy.

Focus on Security

Focus on Security

Focus on Security are Cyber Security recruitment specialists. We’re dedicated to connecting you with the top Cyber Security talent across the globe. We focus on partnerships and results.

ASRC Federal

ASRC Federal

ASRC Federal’s mission is to help federal civilian, intelligence and defense agencies achieve successful outcomes and elevate their mission performance.

Next DLP

Next DLP

Next DLP (formerly Jazz Networks) is a leading provider of insider risk and data protection solutions.

OpenAI

OpenAI

OpenAI is an AI research and deployment company dedicated to ensuring that general-purpose artificial intelligence benefits all of humanity.