Former Uber Cyber Chief’s Conviction Sends Warning to C-Suites

The criminal conviction of former Uber security officer Joseph Sullivan for concealing a data breach is a high-profile reminder to corporate executives of their roles—and potential liability—in company security practices.

The US Department of Justice’s prosecution of Sullivan sends a signal to company executives that they risk sanctions if they don’t handle such episodes properly, attorneys and cybersecurity experts said.

“The Justice Department has made a calculation that they will ultimately empower certain C-suite executives to demand more resources and attention paid to compliance if they hold those executives responsible,” said former federal prosecutor Renato Mariotti, who is now a partner at Bryan Cave Leighton Paisner in Chicago.

There is no accepted standard for who must report a data breach because doing so depends on company structure and typically involves executives, the board, and legal counsel, cybersecurity professionals said.

Senior executives are likely to be held legally liable for company decisions in future breach cases, attorneys said. It’s difficult, though, to determine which positions are most at risk because the DOJ’s focus on executives is a recent development, they said.

The case against Sullivan stems from a 2016 data breach that exposed the information of 57 million Uber users and drivers, which the company took a year to report. Uber was under investigation by the Federal Trade Commission for an earlier breach at the time, and Sullivan’s failure to inform investigators and other company executives was a primary issue, Mariotti said.

Potential Liability

The internal decisions that led to Sullivan’s conviction were “extreme,” but any executive that faces the government should be concerned about potential liability when it comes to breach reporting, Mariotti said.

Chief security officers typically face termination or other blame following a data breach, though that trend has improved in recent years, cybersecurity professionals said.

“CISOs are often little more than, you know, a scapegoat or a straw man for when things go sideways; historically, that’s been the role,” said Padraic O’Reilly, the co-founder of cyber risk management company CyberSaint Security.

Full transparency between chief information security officers and a company’s other stakeholders is essential to preventing a CISO from becoming “a single point of failure on breach information,” O’Reilly said.

A company’s general counsel would be responsible for determining the legal obligations of reporting a breach under state statutes and alerting the correct authorities, said Michael Hamilton, the CISO at cybersecurity company Critical Insight. Executives like the CEO or chief security officer could be responsible for making sure the general counsel has accurate information about the breach, he added.

If a company breach isn’t adequately reported, individuals with the most knowledge of the breach who are highest on the chain of command are most likely to be held liable, Hamilton said. That could include the CEO and attorneys working for general counsel, and an executive like the chief information or security officer if they withheld information about the breach, he said.

“If you’re the CISO, you just want to make sure that you have a governance organization, a formalized governance structure so that there is a way to report up formally documented things,” Hamilton said. “You know, make sure that you get executive fingerprints on decisions.”

Bug Bounties

Deciding to report a data breach should never be an individual decision, so establishing a system to identify and report breaches before one occurs better protects the company and can help distribute the burden of personal responsibility by involving other executives, O’Reilly said.

Several people, including the CEO and members of legal counsel were aware of Sullivan’s approach to the breach, according to alleged texts between Sullivan and the CEO that prosecutors introduced as evidence in the trial. Uber did not immediately respond to a request for comment.

After the hackers demanded $100,000 to not release the data, Sullivan treated them under the company’s bug bounty program, intended to reward white hat hackers who help identify security vulnerabilities, according to prosecutors. That was a misstep, Mariotti said, because bug bounty programs should not be treated as a vehicle to covertly resolve hostile cyber attacks.

“While bug bounty programs are a tool that numerous companies have used in the face of increasing threats from wrongdoers, juries may react skeptically to those programs, and so companies should reconsider their potential civil and or criminal liability that could come from their connection and participation with those programs,” Mariotti said.