Since former Uber CSO Joe Sullivan was charged in August with two felonies for failing to report a 2016 breach that exposed 607,000 personal records, CISOs are scrambling to determine their own personal liability for breaches in their organizations. The charges — obstruction of justice and misprision of a felony (failure to report a crime) — carry with them the potential of jail time of up to five years and three years, respectively.
“This is a watershed moment,” notes Robert Rodriguez, chairman of SINET and a former special agent with the US Secret Service. “CISOs differ on the matters of disclosure, who notifies law enforcement, and the way directors and officers (D&O) indemnity insurance is designated.”
Most CISO’s agree that the best way to reduce liability is to do the right thing. In this case, that would have been to report the breach to law enforcement, with or without the support of upper management. In fact, 70 of the 100 CISOs polled during a virtual briefing by Sullivan’s legal team in September said it was common practice at their organization for the general counsel’s office to notify authorities when a cybersecurity incident occurs.
“At the end of the day, Uber’s CSO still covered up a breach that he was required to report,” says Lynn Mattice, formerly CSO at Northrop, Whirlpool and Boston Scientific and who now runs an enterprise risk management consulting practice. “There is no right way to do the wrong thing.”
