The conviction of Joseph Sullivan, the former Chief Security Officer (CSO) of Uber, sent shockwaves throughout the security industry – for companies’ cybersecurity postures, as well as for the general career path of your average CSO. Sullivan was convicted in federal court on Wednesday for his attempted cover-up of a 2016 hack of private consumer information.
“The verdict sends a message to all companies attempting to hide breaches of data from victims impacted,” says noted cybersecurity consultant Chuck Brooks, who also serves as a cybersecurity professor at Georgetown University.
“The Sullivan case … sets a legal precedent and highlights the importance of disclosure and information sharing in fighting cybercrime,” Brooks adds. “The case will hopefully be a wake-up call for companies to not only be forthcoming in alerting victims of breaches but also calling attention to the new sophisticated and often automated cyber-threats that need to be addressed by all operating in the global digital ecosystem.”
Meanwhile, a high-profile conviction of a corporate CSO is certainly something that would be more than a blip on the radar for the average security director. Sullivan, who will be sentenced at a later date by U.S. District Court Judge William H. Orrick, faces up to 8 years in prison for “obstruction of proceedings of the Federal Trade Commission” and concealing a felony.
“Security people have always been subjected to criminal and civil risk in what they do every day, because people, companies, information, brand get damaged when security isn't managed well,” explains Bob Hayes, managing director of the Security Executive Council and former long-time CSO of Georgia Pacific and 3M. “There are a lot of cases where CSOs have gone to jail when their behavior became criminal.”
As an example outside of the cybersecurity realm, Hayes cites the coal mining operations of Massey Energy, where the Chief of Security lied to the FBI during an investigation into an explosion that killed 29 miners in 2011. He was sentenced to three years in prison in 2012.
“I don't think this is anything new, I just think it is a high-visibility incident with a different twist,” Hayes says. “There are risky decisions made every day in companies – not illegal decisions, but things like acquisitions, divestitures, product launches, the list goes on. Companies must take precautions to minimize that risk, and that's what CSOs do for a living. I think this should be a wake-up call for those who don't realize that.”
Adds Peter O’Neil, president of ASIS International: “This case certainly highlights the importance of transparency in leadership and making the right choices at critical moments in time, and highlights the pressure so many CSOs around the world are under.”
Security Best Practices: A Must
So how can an otherwise law-abiding security director stay clear of federal prosecution? First and most obviously is to understand the law. Each vertical has its own rules and regulations regarding cyber-breach notification. There is a HIPAA breach notification rule for healthcare, for example, and President Biden signed a new federal data-breach notification requirement in March 2022 for the vast majority of the critical infrastructure sector.
According to the U.S. Attorney’s Office in the Northern District of California, “the evidence demonstrated that, shortly after learning the extent of a 2016 breach, rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC … Sullivan then arranged to pay off the hackers (100,000 in bitcoin) in exchange for them signing nondisclosure agreements in which the hackers promised not to reveal the hack to anyone.”
Hayes says that documentation of process and behaviors are critical. “Could a security director really arrange to pay out $100,000 in crypto with nobody else in the company knowing? I never could, and I don't know any other CSOs who could either. Would any CSO I know ever go to a regulatory agency and report [a data breach] without the General Counsel and the CEO’s approval? None that I know. I have never met [a CSO] who would take on that much authority.”
Another key, Hayes says, is to have a clear understanding of the job responsibilities and to make sure to communicate the risks – from cybersecurity to brand protection to employee injury – to all stakeholders. He says: “Do you understand the law? Do you understand where you fit? Is your role really clear? Are you in agreement with management of how these things are going to be handled? Do you have good processes in place? Do you run tabletop exercises to see if everybody's on the same page? Make sure you have concurrence [from company leadership] on the mitigation strategies, and make sure that your roles and responsibilities are clearly defined.”
Effect on the Future of the Industry
No matter the sentence, a high-profile case such as Sullivan’s will have an effect on the C-Suite, as well as current – and future – CSOs. It also likely will alter their stance on hiring best practices, as well as cybersecurity in general.
“Cyber is one of the biggest risks any corporation faces. From that standpoint, I think it is a good thing that people will have a greater![“Cyber is one of the biggest risks any corporation faces. From that standpoint, I think it is a good thing that people will have a greater understanding of the importance of [cybersecurity].” - Bob Hayes, Security Executive Council](https://img.securityinfowatch.com/files/base/cygnus/siw/image/2022/10/1646765230521.634079012830c.png?auto=format,compress&fit=max&q=45&h=250&height=250&w=250&width=250 "“Cyber is one of the biggest risks any corporation faces. From that standpoint, I think it is a good thing that people will have a greater understanding of the importance of [cybersecurity].” - Bob Hayes, Security Executive Council")
Thus, Hayes says the Sullivan case will have a significant effect in the boardroom and on executive behavior. “It is a high-impact event. It could have a negative impact, but it could also be a positive, because people are going to say to themselves, ‘I better learn about this, and I better be pretty darn professional about what I do.’ I think it will change behaviors for some people; for others it will reinforce what they have been doing all along,” he says.
“I think security people will be more determined than ever to do the right thing,” Hayes concludes. “Security people who are surprised by this better get busy, because if they didn't think these kinds of things can happen, then they probably shouldn't have been in the business in the first place…and this won’t be the last time.”
Paul Rothman is Editor-in-Chief of Security Business magazine, a printed partner publication of SecurityInfoWatch.com. Access the current issue, archives and subscribe at www.securitybusinessmag.com.
