Uber’s former Chief of Security, Joe Sullivan, was recently convicted by a federal jury for obstructing a government investigation and for the concealment of a felony from the Federal Trade Commission (FTC).
Chief Information Security Officers (CISOs) have been following the trial closely as it is the first time a company executive has faced criminal prosecution regarding a data breach.
For many CISOs, Sullivan’s conviction sets a frightening precedent. To be held responsible for the cybersecurity policy of an entire company is a heavy burden. The federal government, on the other hand, considers the conviction a win and wants to send a clear message to the corporate world: executives who do not comply with federal cybersecurity regulations can and will be prosecuted.
Two Uber Data Breaches
In 2014, Uber’s database was breached and the incident was reported to the FTC. Even though it happened before Sullivan joined the company, the federal investigation continued into 2015. It was Sullivan who withheld information during the investigation.
In 2016, hackers broke into the Uber database and stole millions of user records and driver’s license numbers. As Chief of Security, Sullivan attempted to negotiate with the hackers, which culminated in a payoff of $100,000 in bitcoin and a non-disclosure agreement (NDA) signed by the hackers. The latter was a crucial point for prosecutors, who argued that Sullivan intended to cover up and conceal the entire incident.
Sullivan allegedly listed the payoff as part of the company’s bug bounty program, a program many companies utilize, offering cash prizes to white hat hackers who find bugs in their software. Thus, Sullivan hid the true expense.
However, according to his legal team, Sullivan consulted with Uber’s former CEO, Travis Kalanick, and concluded that he did not need to report the incident. (Travis Kalanick later had to resign due to scandalous reports about the way he ran the company.)
The breach came to light in 2017, when Dara Khosrowshahi took the helm as the company’s new CEO and initiated a general house cleaning.
What Does Sullivan’s Conviction Mean for the Cybersecurity Industry?
Sullivan’s conviction showcases the federal government’s new tough stance on cybersecurity regulation enforcement. It also highlights how CISOs are personally on the hook for the policies of a corporation.
Likely outcomes of Sullivan’s conviction include:
● More CISOs will negotiate personal liability insurance into their employee contracts.
● CISOs will demand that CEOs, CFOs, and other C-suite executives also be on the line for major security decisions.
● More whistleblowers (like the Twitter case) may come out of the woodwork given the increased personal liability involved in major cybersecurity decisions.
With the federal government’s tough stance on compliance, there does not seem to be a solution to the shortage of cybersecurity professionals in the U.S. If anything, Sullivan’s conviction will make CISOs think twice before committing to a corporate leadership role. While federal prosecutors may have won the battle, it is yet to be seen whether U.S. corporations have the manpower to win the war against cybercriminals.