The person responsible for protecting Uber’s data was found guilty of inadequately safeguarding the information, which makes CISOs’ personal liability real. An Uber data breach that occurred in 2016 was covered up by former CSO Joe Sullivan and other senior executives, resulting in a guilty verdict on October the 5th 2022 and a subsequent indictment by the Department of Justice. This sentenced is growing concern inside the cybersecurity as its raise personal risk for Cybersecurity Leadership position, cybersecurity staff but also for the business of CISO-as-a-Service and Virtual CISO.
Uber data breaches of 2014 and 2016
In may 2014, according to Uber’s Managing Counsel, 50,000 drivers across the United States were affected by this breach. Because the data accessed by an unknown third party only contained names and driver’s licenses, Uber maintains that it affected only a small percentage of their driver base. Uber just sent out a notification to the drivers that are affected. But in September, they learned that the database was not restricted in terms of access, allowing anyone to grab the data. They have declared to immediately took steps to prevent anyone from accessing the database using that information and have taken other safety measures to protect.
In November 2017, Uber revealed that hackers had gained access to the personal information of 57 million riders and drivers. According to CEO Dara Khosrowshahi, the company concealed the breach for over a year. Instead of reporting the breach, Uber paid hackers $100,000 to delete the information. Uber’s decision to cover up this breach was a blatant violation of the public’s trust. In clear defiance of the law, the company neglected to safeguard user data or notify the authorities when it was exposed.
The verdict in the Uber case could have ramifications for CISOs.
The conviction wasn’t about the breaches, but rather about Former CISO Joe Sullivan’s choices with respect to his discussions with the FTC and his failure to report a felony crime. The charges related to the breach itself had been dropped.
The DOJ made clear that the two perpetrators of the 2016 Uber data breach were arrested and convicted of cybercrimes, not of participating in bug bounty programmes, as Sullivan claimed. Sullivan’s lying to his colleagues as testified by DOJ spoke volumes about his knowledge that a crime had taken place. Both hackers pleaded guilty on October 30, 2019, of computer fraud conspiracy charges and are awaiting sentencing. After Sullivan helped conceal the Uber data breach, the hackers were able to commit another intrusion at Lynda.com and attempt to ransom the data, according to the DOJ.
However, Sullivan’s trial was as much about establishing a liability paradigm shift as it was about personal accountability. CEOs responsible for the security of their company and its data now find themselves pondering at what point a breach will be considered to have caused harm.
In future, CSOs and CISOs may disagree with their senior and equal colleagues on corporate risk management decisions, even if they decrease risk. Every CSO/CISO recognises that there is no such thing as total security. Has the court’s judgement opened the door for data breach victims to target the executives who were responsible for safeguarding their information? It will be interesting to see how this decision will impact corporate security policy in the coming months, as attorneys review their positions in light of it.
What are the limits of personal liability for CISOs?
At what level should corporate liability insurance coverage extend down the executive chain of command? What guidance is coming out of human resources and legal departments to their executives about their personal liability? What is their need to obtain personal liability insurance? Those are the next questions that must be answered.
According to the Washington Post, there are a variety of security executives who are wary about how executive stakeholder participation in corporate decisions will affect their personal liability. In addition, infosec may be perceived as a less interesting field and a more skeptical public overall.
This concern was corroborated in court. Uber executive team pointed out that Sullivan’s tales informed their decisions. And Uber had distanced itself from his actions. The Uber legal team, on the other hand, was committed to protecting Uber, not Sullivan.
The CISOs who take the position bear all liability. But the consequences go beyond the individual and affect their infosec and security teams as well.
Keep records, keep records, keep records.
The most important takeaway from this case is the need to document the tiniest decision. And defend it, both to other employees and to regulators and investigators. The DOJ, SEC, and FTC may prevent the CISO from defending his decisions in court if he doesn’t keep records of them (Mold & Pepper, 2018).
If the SEC’s proposed changes to the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules are passed, public companies and defendants may be required to defend their operational decisions (Mold & Pepper, 2018).
As CISOs now play a more significant role, and personal liability is a fact. Company that provides Virtual CISO, shared-time CISO or CISO-as-a-Service may see a boom in demands. But it does not necessary means it is a good news. Customers may be tempted to reduce executive liability by outsourcing the legal risk to a third party. This is already what is happening for external strategic consultant or external accounting firms.
In reaction, external cybersecurity service provider may increase their price to cover the possible liability of their consultant, so does freelancer.