In a case that ups the stakes for CSOs dealing with data breaches, former Uber chief security officer Joe Sullivan was found guilty by a federal jury earlier this week of obstructing justice and of misprision (concealing) of a felony in connection with his coverup of a 2016 breach.
United States Attorney Stephanie M. Hinds said in a statement that technology companies that collect and store vast amounts of user data must protect that data and alert customers and authorities if it’s stolen.
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Hinds said. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
FBI Special Agent in Charge Robert K. Tripp added, “The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur.”
Also read: New SEC Cybersecurity Rules Could Affect Private Companies Too
Ransom Payments and Cover Up
Sullivan was hired as Uber’s chief security officer in April 2015, soon after the company disclosed to the FTC that it had been hacked the previous year. The following month, the FTC served Uber with a Civil Investigative Demand, requiring extensive information about any other unauthorized data access, as well as information on Uber’s data security program and practices.
Sullivan played a central role in Uber’s response, testifying under oath in November 2016.
However, soon after testifying, Sullivan learned that Uber had been breached again, exposing 57 million users’ information, including 600,000 driver’s license numbers. The hackers in this case demanded a ransom.
Sullivan didn’t handle the news well, but he should have known better: he’s a former Assistant U.S. Attorney and was a founding member of the Computer Hacking and Intellectual Property unit of the U.S. Attorney’s Office for the Northern District of California.
Rather than notifying the FTC, Sullivan told a subordinate not to “let this get out,” that information about the breach needed to be “tightly controlled,” and that to anyone outside Uber’s security group, “this investigation does not exist.” He continued to conceal the breach both from the FTC and from Uber’s own lawyers as Uber paid the hackers $100,000 in Bitcoin in exchange for NDAs promising not to reveal the breach.
When Dara Khosrowshahi took over as Uber’s new CEO in August 2017, the U.S. government statement said Sullivan continued to lie to Khosrowshahi and to the company’s lawyers about the specifics of the hack. It wasn’t until November 2017 that Uber’s new leadership determined the facts and finally disclosed the breach publicly.
Sullivan, who is currently free on bond, faces up to eight years in prison. His sentencing date hasn’t yet been set.
See the Top Governance, Risk & Compliance (GRC) tools
What CSOs Should Do
ImmuniWeb founder Ilia Kolochenko said the case is part of a broader global trend of holding cybersecurity executives accountable for breaches at their companies. “In the future, we will likely see more CISOs, DPOs and board members civilly liable or even face criminal prosecution for security or privacy incidents,” he said. “Many countries have already implemented – by the virtue of statutory or case law – personal accountability of executives for data breaches.”
In response, Kolochenko said, there are several steps executives need to take. “Cybersecurity executives should urgently ascertain that their employment contracts address such vital issues as coverage of legal fees in case of a civil lawsuit or prosecution in relation to their professional responsibilities, as well as a guarantee that their employer will not sue them – as victimized companies may also sue their own executives in case of security incidents,” he said.
“Finally, cybersecurity executives should be always prepared to demonstrate a systemized, continually improved and comprehensive data protection and privacy strategy, as well as solid evidence of regular and coherent implementation thereof,” he added.Such requirements are also at the heart of data privacy laws like GDPR, making them a compliance need too (see Security Compliance & Data Privacy Regulations).