Executives who do not comply with federal cybersecurity regulations can and will be prosecuted

Download (PDF)

Uber’s former Chief of Security in the U.S., Joe Sullivan, was recently convicted by a federal jury for obstructing a government investigation and for the concealment of a felony from the Federal Trade Commission (FTC).

The trial was widely followed due to Uber’s high profile. But it was followed in particular by Chief Information Security Officers (CISOs) across the world, including in Germany, as it is the first time a company executive has faced criminal prosecution regarding a data breach.
For many CISOs, Sullivan’s conviction sets a frightening precedent. To be held responsible for the cybersecurity policy of an entire company is a heavy burden. The U.S. government, on the other hand, considers the conviction a win and wants to send a clear message to the corporate world: executives who do not comply with federal cybersecurity regulations can and will be prosecuted.

Multiple data breaches

In 2014, Uber’s database was breached and the incident was reported to the U.S. FTC. Even though it happened before Sullivan joined the company, the federal investigation continued into 2015. It was Sullivan who withheld information during the investigation.
In 2016, hackers broke into the Uber database and stole millions of user records and driver’s license numbers. As Chief of Security, Sullivan attempted to negotiate with the hackers, which culminated in a payoff of $100,000 in Bitcoin and a non-disclosure agreement (NDA) signed by the hackers. The latter was a crucial point for prosecutors, who argued that Sullivan intended to cover up and conceal the entire incident.

Sullivan allegedly listed the payoff as part of the company’s bug bounty program, a program many companies utilize, offering cash prizes to white hat hackers who find bugs in their software. Thus, Sullivan hid the true expense.

However, according to his legal team, Sullivan consulted with Uber’s former CEO, Travis Kalanick, and concluded that he did not need to report the incident. (Travis Kalanick later was forced to resign due to scandalous reports about the way he ran the company.)

The breach came to light in 2017, when Dara Khosrowshahi took the helm as the company’s new CEO and initiated a general housecleaning.

Things have been slow to change however, as recently Uber was fined by the FTC as a result of not taking proactive steps to improve its security practices, even after being put on notice. Because of these poor practices, Drizly, an alcohol delivery service owned by Uber, was hacked, resulting in the data of 2.5 million users being stolen.

Sullivan (and Uber) are not the only cases of individuals or organizations trying to cover up data breaches, and who are facing scrutiny by the authorities.

Another example of this is the online retailer Shein, which misled its customers about updating their passwords. A data breach compromised a number of user passwords, and as opposed to sharing this information the company forced password resets on those victimized and claimed it was because they had not updated their passwords in over 365 days.

As a result of not being forthright and truthful with its customers, Shein was forced to sign an assurance agreement. For the next five years as part of this agreement the company will need to update the state of New York on its security practices.

This article states, “While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up,” says Attorney General Letitia James, referring to Shein’s former parent company. “Failing to protect consumers’ personal data and lying about it is not trendy.”

What does Sullivan’s conviction mean for the cybersecurity industry in the U.S. and Europe?

Sullivan’s conviction showcases the U.S. federal government’s tough new stance on cybersecurity regulation enforcement. Much like the enforcement of the Foreign Corrupt Practices Act (FCPA), the conviction also highlights how senior executives of U.S. companies (including ones with locations in Europe) are personally on the hook for the policies of a corporation, even if they didn’t directly break the rules themselves.

Likely outcomes of Sullivan’s conviction include:

  • More CISOs will negotiate personal liability insurance into their employee contracts.
  • CISOs will demand that CEOs, CFOs, and other C-suite executives also be on the line for major security decisions.
  • More whistleblowers (like this Twitter case) may come out of the woodwork given the increased personal liability involved in major cybersecurity decisions.

The experts weigh in

Experts believe Sullivan’s verdict could affect the cybersecurity world, and the security space in general. CISOs having to worry about being prosecuted by state and federal authorities could impact their performance, and this could, in the longer term, impact who will choose to work in this position.

It is important to note that Sullivan was convicted for attempting to cover up the breach. Breaches will happen, and we operate under the assumption that CISOs are truthful in their dealings with their leadership.

In general, there are varying views, with the focus on who will have to take blame, and be held responsible. As this story illustrates, Christopher Hallenbeck, CISO of Americas at Tanium, does not believe this episode will create any major changes: “A change in reporting laws is unlikely to prevent what happened here. Sullivan was found guilty of actively taking steps to both hide the existence of the intrusion. With these breach notification laws in place he could have violated that law in a similar manner.”

Another perspective from experts such as Casey Ellis, Founder and CTO at Bugcrowd believes this verdict will cause a major change: “It’s a significant precedent that has already sent shockwaves through the CISO community. It highlights the personal liability involved in being a CISO in a dynamic policy, legal, and attacker environment.”

The federal government’s tough stance on compliance will certainly not help with the shortage of cybersecurity professionals in the U.S. If anything, Sullivan’s conviction will make CISOs think twice before committing to a corporate leadership role. Being at the top of a company’s executive structure can be the culmination of a career and an attractive place to be. Being in the cross-hairs of the U.S. government, less so.

daviv@interfor.international

Aktuelle Beiträge