Truth, transparency and trust are the three T\u2019s that all CISOs and CSOs should embrace as they march through their daily grind of keeping their enterprise and the data safe and secure. Failure to adhere to the three T\u2019s can have serious consequences.Case in point: A federal judge recently ordered Uber Technologies to work with its former CSO, Joseph Sullivan (who held the position from April 2015 to November 2017), and review a plethora of Uber documents that Sullivan has requested in unredacted form for use in his defense in the upcoming criminal trial.The case against Uber\u2019s former CSOBy way of background, Uber\u2019s former CSO faces a five-felony count superseding indictment associated with his handling of the company's 2016 data breach. The court document, filed in December 2021, alleges Sullivan \u201cengaged in a scheme designed to ensure that the data breach did not become public knowledge, was concealed, and was not disclosed to the FTC and to impacted users and drivers.\u201d Furthermore, the two individuals, who are believed to have affected the hack and subsequently requested payment for non-disclosure ultimately received $100,000 from Uber\u2019s bug bounty program. These individuals were identified in media as, Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon Glover, a Florida resident, both of whom were later indicted for their breach of Lynda (a company acquired by Linkedin).Uber\u2019s late breach notificationIt would be November 2017, when the new CEO, Dara Khosrowshahi provided context surrounding the breach and acknowledged that the advisory from the company was a year late. \u00a0Apparently, the discussion in the house at the time of the breach cataloged the event as a \u201cbug bounty\u201d payout and not a breach, and thus no need to disclose it. Semantics or subterfuge, the subsequent settlements, and Khosrowshahi\u2019s statement indicate the latter may be at play.The breach included names, email addresses, and mobile phone numbers of 57 million Uber users around the world, which included 600,000 of the company's drivers\u2019 names and license numbers. Included within the statement was the revelation of how two individuals associated with the breach incident response had been terminated that same day (no names provided).Meanwhile, in September 2018, California, the San Francisco attorney general, and the California state attorney general announced a $148 million nationwide settlement \u201cresolving allegations that Uber Technologies, Inc., violated state data breach reporting and reasonable data security laws.\u201d The settlement included specific actions and reforms within Uber.Implement and maintain robust data security practices.Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company\u2019s driver and customer information is safeguarded.Develop, implement and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber\u2019s Board of Directors.Report any data security incidents to states on a quarterly basis for two years.Maintain a corporate integrity program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training.In October 2018, the Federal Trade Commission (FTC) dropped its hammer, with Uber agreeing to a settlement. Within the settlement, the 2016 breach and the 2014 breach are each dissected and explained. The pathway to the 2016 compromise? An Uber engineer had posted the Amazon S3 datastore access key on GitHub. The hackers, \u201caccessed Uber\u2019s GitHub page using passwords that were previously exposed in other large data breaches.\u201dLesson for CISOs: Be honest and transparent with board, C-suiteFast forward to 2022 and the last piece of the legal morass enveloping Uber\u2019s 2016 data breach is reaching its conclusion: The trial of the former Uber CSO Sullivan.It is clear from the most recent court filings that Uber doesn\u2019t wish to have its internal emails splayed out on the table in court, and Sullivan\u2019s attorney believes that some of those internal emails will serve to mitigate and address the allegations brought forward by the DOJ. Was the company\u2019s legal team a party to the semantic wordplay that cataloged the hackers as bug bounty awardees?The judge has provided a timeline for the parties to sort out which internal documents are contentious and to make their case pending judicial review and adjudication. Then, the items will be declared to prosecutors.As Violet Sullivan, cybersecurity and privacy attorney who serves as the vice of client engagement at Redpoint Cybersecurity, observes, the very real need to effectively brief the board and C-suite on the realities of cybersecurity\u2014It is not 100% secure. Furthermore, the harsh reality that many a CISO faces who don't take the time to educate, find their employment terminated in the event of a breach.I agree. Much of the information security or CSO team\u2019s success is predicated on the allocation of resources. As detailed in the FTC settlement, what is represented must match that which is practiced. Uber is now enjoying years of federal oversight and review of its \u201cprivacy program and for 20 years (beginning in 2018) obtain biennial independent, third-party assessments, which it must submit to the Commission, certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.\u201dIt is not difficult to embrace the doctrine of truth, transparency, and trust by making an investment upfront in basic cybersecurity processes, event remediation, and, above all, consistent documentation processes. It is much more cost-effective than the millions of dollars in fines, loss of trust, and years of over-the-shoulder review by various entities of the federal government.