Guilty verdict in the Uber breach case makes personal liability real for CISOs

Yesterday, a federal jury handed down a guilty verdict to Joe Sullivan, the former CSO on charges of “obstruction of the proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of a 2016 hack at Uber” according to a notice published by the Department of Justice (DOJ).

US Attorney Stephanie Hinds, upon learning of the verdict, admonished companies that are storing data as to their responsibility to also “protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught. We will not tolerate the concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”

Sullivan’s attorney, David Angeli, told the New York Times, “While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case.” He continued, “Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet.”

Uber verdict ramifications for CISOs

The conviction wasn’t about the breaches, however. The charges related to the breach itself had been dropped. Rather, the trial and conviction were about Sullivan’s decisions with respect to his discussions with the FTC and his failure to report a felony crime.

His apparent dissembling to his fellow executives as alleged in testimony spoke to his knowledge that a crime had been committed. In addition, the DOJ made clear that the two perpetrators of the 2016 data breach at Uber were subsequently arrested and convicted of committing cybercrimes and not participating in bug bounty programs as Sullivan alleged. Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and are awaiting sentencing. “The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity—Lynda.com—and attempt to ransom that data as well,” the DOJ stated in its notice.

That said, Sullivan’s trial was as much about his personal accountability as it was about creating a sea-change in the liability. Executives responsible for the security of a company and its data now find themselves asking at what point in a breach will they be liable for its consequences.

Going forward, CSOs and CISOs may be at odds with their senior and peer groups of executives when a strategic decision is made that places the company at risk, even a mitigated risk. As every CSO/CISO knows, there is no such thing as 100% secure. Has this verdict opened a door for victims of a corporate data breach to not only go after the company with which they had entrusted their information, but also the executives who shoulder that responsibility? Whether this is a welcome turn of events or a shock to the system will play out in the coming months as legal teams of companies that hold personal data evaluate their positions in the light of this verdict.

Where does personal liability for CISOs begin and end?

Another question that must be discussed in corporate C-suites is just how far down the executive chain of responsibility should the corporate liability insurance coverage extend and what guidance is coming out of human resources and legal to their executives about personal liability and their need to obtain personal liability insurance.

David Shackleford told the Washington Post, “Personal liability for corporate decisions with executive stakeholder input is a new territory that’s somewhat uncharted for security executives. I fear it will lead to a lack of interest in our field and increased skepticism about infosec overall.” Shackleford’s observation played out in the courtroom. The Uber executive team referenced the stories told to them by Sullivan, as well as making it clear Uber had distanced itself from Sullivan’s decisions. And more clearly, the Uber legal team was protecting Uber and not Sullivan.

While many may look at the totality of the liability a CISO assumes when taking the position as something new and a negative job attribute, the ramifications go beyond the individual and seep into their infosec and security teams.

Document, document, document

The prime takeaway from this judgment is the need to document decisions, even the most minuscule decision, and be prepared to defend the decision, not only internally but to regulators and inspectors. Such documentation may keep the CISO out of the courtroom when dealing with the DOJ, FTC, and Securities and Exchange Commission (SEC). With the proposed adjustments to the SEC rules on Cybersecurity Risk Management, Strategy, Governance, and Incident disclosure, Public Companies and defendants being asked to defend their operational decisions, we may well evolve to expecting every company to provide a “state of cybersecurity” report on a regular cadence. Edward Amoroso in his Charlie Ciso cartoon series captured this aspect in elegance when he depicted CISOs complying with the new reporting requirements and overwhelming the system.

What is clear, the role of CISO has now changed and personal liability is a reality.