Former Uber security chief found guilty in case involving data breach cover-up.

Former Uber security chief Joe Sullivan has been found guilty of covering up a 2016 data breach, as well as concealing information on a felony from law enforcement, Security Week reports. The month-long trial resulted in a verdict that could put Sullivan in prison for up to 8 years; a maximum of 5 years for the obstruction charge and a maximum of three years for a misprision charge. The New York Times reports that it took more than 19 hours to reach a verdict in the case for the jury of six men and six women.

“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case. Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” said a lawyer for Mr Sullivan, David Angeli.

Benjamin Kingsley, an assistant U.S. attorney, said during closing arguments that “He took many steps to keep the F.T.C. and others from finding out about it. This was a deliberate withholding and concealing of information.”

Industry comments: transparency and accountability.

David Lindner, CISO at Contrast Security, called the situation unfortunate: “The entire situation is extremely unfortunate for Uber and the broader legal/security communities. What Uber did was cover up a breach through means of hiding it as a bug bounty submission. The conviction of the security chief is a good start but for what was disclosed there should be even more accountability of the executives and even board members.  

"Transparency is the only path forward for organizations. Transparency of breaches, transparency of known vulnerabilities, and transparency of the components used to build their software. Uber failed in being transparent and it has resulted in not only a fine but in the conviction of a human behind the decisions. We will see more of this if we don’t move to transparency fast.”

Dr Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, discussed holding cybersecurity executives accountable: “The Uber case is just another illustrative example of the unfolding global trend to hold cybersecurity executives accountable for their companies' data breaches. In the future, we will likely see more CISOs, DPOs and board members civilly liable or even face criminal prosecution for security or privacy incidents. Many countries have already implemented – by the virtue of statutory or case law – personal accountability of executives for data breaches. Serious misconduct, such as deliberate concealment of a data breach despite the regulatory requirement to report the breach to mitigate harm, may even entail criminal sanctions.

"Cybersecurity executives should urgently ascertain that their employment contracts address such vital issues as coverage of legal fees in case of a civil lawsuit or prosecution in relation to their professional responsibilities, as well as a guarantee that their employer will not sue them – as victimized companies may also sue their own executives in case of security incidents. Finally, cybersecurity executives should be always prepared to demonstrate a systemized, continually improved and comprehensive data protection and privacy strategy, as well as solid evidence of regular and coherent implementation thereof."

Added, 10.6.22.

Michael Hamilton, Founder and CISO at Critical Insight, thinks that the verdict might not have the effect many expect. "The prevailing narrative is that this will make organizations more aggressive about reporting. This may have an unintended effect of chilling reporting until the event has been perfectly characterized," he wrote. "The wildcard remains enforcement of the false claims act by the FTC and DOJ and potentially a class action from California through enforcement of the CPPA and CPRA. Fines and lawsuits will affect whether this is more diligence regarding reporting or dilation of the time to report to ensure that all assertions are accurate."

Amitai Ratzon, CEO of Pentera, offered an appreciation of the lessons to be drawn from the conviction. "The guilty verdict of the Uber CISO underscores the need for more transparency between the board, risk-committees and the executive echelon. Transparency needs to carry across incident reporting as well as security posture gaps and audit data. In today's cybersecurity attack surface there is no choice but to lift the hood and measure security exposure continuously."

Neil Thacker, CISO, EMEA at Netskope, thinks the verdict will reverberate through the CISO community, inducing them to rethink their calculations of their personal exposure to legal risk. "The international CISO community has been watching this one very closely, and hypothesizing about the repercussions for some time. There is very little doubt among my peers that this case was about a serious misjudgment on the part of a CISO, but hindsight is a wonderful thing and we will probably never fully understand the complex factors and influences that led to his decisions. One of the biggest concerns within the community is an acknowledgment of the possible pressure that may have been exerted from other internal authorities upon the CISO, which led him to make the decisions. We won't know the full repercussions for some time, but I would expect that we will see a number of CISOs and (aspiring CISOs) opting to make different career decisions based on this latest example of the personal risk burden, and we may see this further impacting the existing skills crisis in cyber security."