Cybersecurity lawyers told SC Media on Thursday that yesterday’s jury conviction of former Uber chief security officer Joe Sullivan for misleading regulators about the 2016 breach should serve as a clear indication that CISOs must turn over required notices on data breaches to federal and state regulators.
In short: it’s never a good idea to mislead federal or state regulators.
“CISOs must not obstruct or misdirect an investigation, period,” said Kathleen McGee, a partner in the tech group and white collar criminal defense practices at Lowenstein Sandler LLP. “That’s not new and will not change.”
McGee said as a former Justice Department lawyer (Sullivan served as an Assistant U.S. Attorney in Las Vegas and the Northern District of California), he should have fully understood his legal obligations. Sullivan was found guilty of obstructing justice for keeping the breach from the Federal Trade Commission and actively hiding a felony.
“Traditionally, CISO are responsible for, among other things, ensuring that accurate information regarding a data compromise is accurately conveyed to both corporate executives and regulators. In this case, the CISO was also a former DOJ attorney, which frankly increased his basis of knowledge beyond a traditional CISO, whether he was practicing law at the time or not," McGee said. "Sullivan should have been well-aware of his obligation to continue informing federal regulators and the state attorneys general about this additional incident and should have been well-positioned to assess the risk involved in misleading authorities regarding the hacking.”
McGee added that the concern about how yesterday’s verdict will impact CISOs was somewhat misdirected: She said CISOs and corporate executives need to understand that regulators are taking data security seriously, but “efforts to misdirect or hide information from regulators or law enforcement generally has always been a serious offense of its own accord.”
Brian Mannion, chief legal officer and data protection officer at Aware, said the criminal nature of the Uber case will be regularly presented to CISOs as a reason to comply with data breach notification laws.
“CISO’s have been under intense pressure as they manage new attack vectors along with new regulatory obligations,” Mannion said. “They have to make it harder for the nefarious actor to access the company data, and when access does occur, find it, stop it, and determine what data was impacted all at an impossibly quick speed. This case will only serve as another pressure point to force CISO’s to try and meet these incredibly difficult expectations.”
The buck may stop with CISOs on breaches, but some security executives reached by SC Media nonetheless expressed sympathy for Sullivan.
Rick Holland, chief information security officer and vice president strategy at Digital Shadows, said CISOs already have a challenging job, and this case raises the stakes for what he called "CISO scapegoating." He posed the following questions: How might the Sullivan verdict impact the number of leaders willing to take on the potential personal liability of the CISO role? Could we see more whistleblower cases as we saw with Twitter?
“I expect to see more CISOs negotiating Directors and Officers insurance into their employment contracts [which] offers personal liability coverage for decisions and actions the CISO might take," Holland said. "In addition, in the same way that both the CEO and CFO became responsible for corruption on the heels of Sarbanes Oxley and the Enron scandal, CISOs shouldn't be the only roles guilty in the event of wrongdoing around intrusions and breaches."
Neil Thacker, CISO at Netskope, said the international CISO community has been watching this case very closely and pondering its repercussions for some time. While there’s very little doubt among his peers that this case was about a serious misjudgment on Sullivan's part, he said “hindsight is a wonderful thing” and that the public may never fully understand the complex factors and influences that led to his decisions.
“One of the biggest concerns within the [CISO] community is an acknowledgment of the possible pressure that may have been exerted from other internal authorities upon the CISO, which led him to make the decisions,” Thacker said. “We won't know the full repercussions for some time, but I would expect that we will see a number of CISOs and aspiring CISOs opting to make different career decisions based on this latest example of the personal risk burden, and we may see this further impacting the existing skills crisis in cybersecurity."