Uber breach case a ‘watershed moment’ for CISOs’ liability risk

An upcoming case to determine whether the former Uber CSO failed to report a breach puts the legal liabilities of being a CISO in the spotlight. CISOs have a few options to minimize that risk.

The open jaws of a spring trap lie in wait. [danger / risk]
Mevans / Getty Images

Since former Uber CSO Joe Sullivan was charged in August with two felonies for failing to report a 2016 breach that exposed 607,000 personal records, CISOs are scrambling to determine their own personal liability for breaches in their organizations. The charges — obstruction of justice and misprision of a felony (failure to report a crime) — carry with them the potential of jail time of up to five years and three years, respectively.  

“This is a watershed moment,” notes Robert Rodriguez, chairman of SINET and a former special agent with the US Secret Service. “CISOs differ on the matters of disclosure, who notifies law enforcement, and the way directors and officers (D&O) indemnity insurance is designated."

Most CISO’s agree that the best way to reduce liability is to do the right thing. In this case, that would have been to report the breach to law enforcement, with or without the support of upper management. In fact, 70 of the 100 CISOs polled during a virtual briefing by Sullivan’s legal team in September said it was common practice at their organization for the general counsel’s office to notify authorities when a cybersecurity incident occurs.

“At the end of the day, Uber’s CSO still covered up a breach that he was required to report,” says Lynn Mattice, formerly CSO at Northrop, Whirlpool and Boston Scientific and who now runs an enterprise risk management consulting practice. “There is no right way to do the wrong thing.”

The crime and the cover-up

To continue reading this article register now

The 10 most powerful cybersecurity companies