Culhane Meadows’ co-founder and managing partner Heather Haughian was recently featured in an article by InformationWeek which discusses the recent conviction of Uber’s former CISO for covering up a data breach.
Here are a few excerpts from the article:
Joseph Sullivan, the former chief security officer of Uber, was sentenced to three years of probation and ordered to pay a $50,000 fine for covering up a 2016 data breach at the rideshare company. While data breaches and regulatory repercussions are not new, the prosecution of a prominent senior executive is novel.
“The primary implication is that organizations and individual incident responders must be aware that they can become targets of federal criminal prosecution for incident response activities that violate federal criminal laws,” Ed McAndrew, partner at BakerHostetler and former federal cybercrime prosecutor and National Security Cyber Specialist at the US Department of Justice, tells InformationWeek.
Sullivan was hired as the first CSO of Uber in 2015, shortly after the Federal Trade Commission (FTC) launched its investigation into a 2014 data breach at the company. He participated in the company’s response to the FTC investigation. Shortly after giving sworn testimony to the FTC, he learned of another breach in 2016: a breach that leveraged the same vulnerability used in the 2014 incident, according to the United States Attorney’s Office Northern District of California press release.
Uber paid the hackers a $100,000 ransom, but the breach, which involved 57 million driver and rider accounts, remained a secret for more than a year. Hackers signed nondisclosure agreements in exchange for payment. Sullivan covered up the breach both internally and externally while Uber was still under investigation for the 2014 breach. “FTC regulators generally place a premium on transparency during these investigations, which also made Sullivan’s cover-up that much worse,” says Heather Clauson Haughian, a managing partner and privacy and data security attorney at law firm Culhane Meadows.
Over its history, Uber has come under scrutiny for a number of its business practices — related to data breaches as well as its treatment of drivers and customer safety. In 2022, the company experienced another data breach. What impact will Sullivan’s sentencing have on Uber?
Mike Hamilton, founder and CISO of cybersecurity company Critical Insight and former CISO for the City of Seattle, points out that the Sullivan case is unlikely to impact the way customers view Uber, but it does mean the company will likely be under more regulatory inspection. “The Securities and Exchange Commission will be applying extra scrutiny to Uber’s public filings for proper articulation of risks for shareholders. Customers won’t care; regulators now have a microscope on Uber,” he says.
With an ever-expanding attack surface, data breaches are not always preventable. Could more security executives face personal responsibility in the aftermath of a breach? In the Sullivan case, it is important to note: “Sullivan was NOT held liable because a breach occurred on his watch; he was convicted because he covered it up,” Clauson Haughian says.
Security executives could face liability in other situations. For example, failure to implement adequate internal controls to protect company and customer data could result in liability. Clauson Haughian also points to situations in which security executives claim “state of the art” security measures yet fail to meet even basic cybersecurity standards. “This latter situation is exactly what happened to SolarWinds, resulting in the company paying $26 million to settle the case against it and the individuals named in the suit,” she says.
In Sullivan’s case, Hamilton contends it is unlikely he acted without the knowledge of other executives. “We don’t know how much pressure may have been placed upon Sullivan from other internal authorities that led him to make these poor decisions,” Clauson Haughian says.
So, how do CISOs minimize their personal risk and the risk to their organizations? “Risk management in a mature organization is a shared responsibility. Risks should be identified, a disposition assigned (accept, avoid, mitigate, transfer), and that information pushed up through a governance organization to ensure that multiple leaders have ‘fingerprints’ on decisions,” Hamilton says. “Ideally, this should insulate the CISO from claims of negligence.” Directors and officers insurance (D&O) insurance can also give company executives liability coverage.
“My advice to CISOs out there: Don’t cover up what you know is a confirmed data breach from anyone in your organization and rely on your attorneys to decide if/how notifications are required under applicable law because that decision is not in your lane,” Clauson Haughian says.
Read the entire article HERE.
About Culhane Meadows – Big Law for the New Economy®
The largest woman-owned national full-service business law firm in the U.S., Culhane Meadows fields over 70 partners in eleven major markets across the country. Uniquely structured, the firm’s Disruptive Law® business model gives attorneys greater work-life flexibility while delivering outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. Clients enjoy exceptional and highly-efficient legal services provided exclusively by partner-level attorneys with significant experience and training from large law firms or in-house legal departments of respected corporations. U.S. News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2023 rankings and many of the firm’s partners are regularly recognized in Chambers, Super Lawyers, Best Lawyers and Martindale-Hubbell Peer Reviews.
The foregoing content is for informational purposes only and should not be relied upon as legal advice. Federal, state, and local laws can change rapidly and, therefore, this content may become obsolete or outdated. Please consult with an attorney of your choice to ensure you obtain the most current and accurate counsel about your particular situation.