On Oct. 5, 2022, former Uber chief security officer (CSO) Joe Sullivan was convicted of felony charges related to his handling of a 2016 breach involving 57 million records of Uber’s customer data and 600,000 driver license numbers.
While the U.S. Department of Justice’s Corporate and Securities Fraud Section trumpeted the results, it sent shivers up the spines of chief information security officers (CISOs) and CSOs around the country. Why? Because the outcome (1) works to further the idea that CISOs/CSOs should take the fall for any major cyber incident and (2) makes boards and C-suite executives less likely to want to know about cyber risks so they can plead ignorance instead of being held accountable.
We were just getting boards and executives over the ridiculous notion that cyber risk assessments were not a good protocol because they just documented risks that the company then had to address. Finally, companies were comprehending the concept that cyber risk assessments were essential to show good governance and to understand the maturity of cyber-security programs. Board risk committees were starting to view cyber risks as enterprise risks, and boards were getting more involved in cyber risk management. The outcome in the Sullivan case will likely set those advancements back.
By way of background, Joe Sullivan—a highly respected CSO and former DOJ cyber-crime prosecutor—had worked at Uber about 18 months when he was contacted by criminals saying they had obtained credentials enabling them to access a treasure trove of Uber’s personal data. Sullivan confirmed their claims and told Travis Kalanick, Uber’s founder and then-CEO, about the incident the following day. Uber’s general counsel was not informed about the incident, even though Sullivan worked with an in-house Uber attorney, Craig Clark.
Sullivan proposed to pay the criminals their requested $100,000 by using a bug bounty program, but he also required the criminals to sign a nondisclosure agreement stating they would not disclose the breach and had not accessed or stored the data (DOJ said this latter clause was false). According to trial testimony, Sullivan made final edits to the NDA that was negotiated with the criminals. He also worked internally to keep the breach secret.
At the time, Uber was under investigation by the Federal Trade Commission due to a 2014 breach involving 50,000 records of consumer data. The company had been served a civil investigative demand (CID) by the FTC that demanded information about the company’s cyber-security program and instances of unauthorized access. Sullivan had been involved in the company’s responses to the CID. After he learned of the 2016 incident, he did not inform the FTC about it, but, to be fair, responses to the CID were not solely his responsibility; they were the general counsel’s.
After the breach was revealed, the U.S. government, for the first time, decided to charge the CSO of a company with obstructing proceedings of the FTC and misprision of felony in connection with concealment of the breach. The agency won a conviction in a highly visible case. But that was the wrong outcome, because it was the wrong case to bring.
Perpetuating the Problem
DOJ should have charged Uber’s executive team and board or—at a minimum—both Kalanick and Sullivan. Why? Because Uber’s handling of this entire matter was a failure of cyber governance and they lost the opportunity to highlight that and use Uber as an example for other companies. The executive team—other than Kalanick—was not informed of the incident, the board was clueless, and there were glaring segregation-of-duties problems. By charging only the CSO, DOJ implicitly blessed that behavior and lack of governance and made the “ostrich defense” attractive.
Current best practices and standards for governance of information security, such as ISO 27014 and 24143, set forth specific responsibilities (1) for the C-suite in managing cyber risks and implementation of the cyber-security program and (2) for the board in exercising oversight of cyber risk management. This includes identifying key cyber risks, receiving regular information about those risks, and establishing a process for monitoring them. It also means ensuring that roles and responsibilities for CISO and CSOs are defined and duties are segregated so critical functions are separated between roles, such as IT and security, IT and legal, and security and privacy.
Uber apparently had no cyber governance structure, no information flows on critical cyber risks, and no process for escalation of issues within the C-suite and board. This is not surprising, as Uber generally functioned—at least prior to Dana Khosrowshahi’s appointment as CEO—as a wild teenager with no supervising parent. Kalanick knew of the breach the next day but apparently did not tell his general counsel or other members of the C-suite. The general counsel seemingly did not have procedures in place that required the in-house attorney working with Sullivan to inform the GC of the issue. Segregation of duties appeared to be nonexistent, since Sullivan was able to operate as both attorney and CSO (just because he is also an attorney does not mean that he should perform that function in a CSO role).
In charging only Sullivan, the government blew the opportunity to drive home the importance of cyber governance and adherence to cyber-security best practices and standards. It reinforced the notion that, if executives and boards are unaware, they will not face criminal charges. So, of course, directors and officers will be less likely to ask questions about the company’s cyber-security program or recent incidents. In fact, they will be incentivized to do everything possible not to know about an incident or details about how it is being managed. Since they are likely to bear the blame, CISOs and CSOs will be equally motivated to downplay an incident to senior management—or even cover up or lie about details.
The CISO/CSO community is on fire about this case, and they should be. They are concerned about their reputations and personal liability and wondering if they are covered by D&O policies. The Sullivan case presents a unique opportunity for risk managers and agents and brokers. Risk managers can help their organizations manage cyber risks by reaching out to their CISO/CSO, building a relationship with them, and helping them build proper cyber governance frameworks within their organizations. Risk managers also should engage the C-suite to ensure a cyber governance framework is in place that includes escalation of incidents and segregation of duties. Agents and brokers should use the Sullivan verdict as a reason to reconnect with their clients prior to renewal to discuss D&O coverage, because D&O derivative shareholder suits or class action securities litigation are likely to follow major cyber events. Brokers can help clients understand the limits to such coverage in criminal matters. Agents and brokers should also encourage clients to connect their CISO/CSO, executive team and board to put robust cyber governance programs in place to help manage cyber risks and claims.