Former Uber CSO had a close shave, narrowly escaping jail time for his role in the 2016 data breach. Danny Bradbury takes a look at individual accountability and the law’s teeth when it comes to cyber negligence
Joe Sullivan must have breathed a big sigh of relief this month. The former chief security officer at Uber was finally sentenced for his part in covering up a massive data breach at the ride-sharing company in 2016.
Sullivan got three years of probation for obstruction of justice and hiding a felony after he paid off the Uber hackers and, along with others in the company, failed to tell the FTC about it. All of this happened while the Commission concluded another investigation into a separate 2014 breach.
The sentence was a narrow escape for the cybersecurity pro, who went on to work for Cloudflare and the humanitarian organisation Ukraine Friends. This novel case prompted leniency from presiding U.S. District Judge William Orrick. He promised future jail time for future defendants.
A chilling effect
Some cybersecurity experts worry that the case will have a chilling effect on CISO recruitment. Former CISA (Cybersecurity and Infrastructure Security Agency) chief of staff, Kiersten Todt, said that executives had told her the verdict would set the industry back. Who wants to work in a job that could see you in jail for a breach?
“There’s not a disincentive to get into security, there’s a disincentive to lie to the FTC.”Brendan O’Connor
Those concerns are ill-founded, says Brendan O’Connor, an attorney and founder of cybersecurity consulting company Malice Afterthought. “There’s not a disincentive to get into security,” he explains. “There’s a disincentive to lie to the FTC.”
This isn’t the only case in which a company officer has been held personally liable for a breach. In April this year, a Finnish court handed down a three-month suspended sentence to Ville Tapio, former CEO of the psychotherapy centre, Vastaamo. Ransomware criminals compromised patient data at the company in 2018 and tried to extort it. When that failed, they approached patients directly. The criminal group also leaked patient files on the dark web.
Vaastamo fired Tapio, accusing him of concealing the breach from the board when the security flaws were discovered in March 2019. An equity firm that purchased the company three months later said it would not have done so had it been notified of the breach. Now appealing the decision, Tapio pointed the finger at subordinates, arguing that the breach was their fault and that he had not known about it. The psychotherapy centre filed for bankruptcy in February 2021.
Focusing personal liability on executives
Expect more personal cases against executives over cybersecurity issues, warns Richard Borden, a partner at legal firm Frankfurt Kurnit Klein & Selz.
“The regulators are becoming increasingly upset that breaches keep happening,” he says. “They are pushing the regulatory risk higher, increasing fines and creating more detailed sets of requirements. They are also looking to have responsibility pushed up to senior officers and to the board.”
This new focus on individual accountability shows up in proposed amendments to the already strict NYDFS Part 500, a regulation from the New York Department of Financial Services that target financial institutions doing business in the state. The rules would add a new requirement requiring their highest-ranking executive and CISO to sign an annual compliance certification.
A willingness to hold individuals liable also showed up in an October 2022 FTC order against home booze delivery company Drizly, which Uber bought in February 2021. Drizly suffered a data breach in 2020 in which attackers stole data on 2.5 million consumers. It had stored developer cloud account credentials in GitHub without adequate access controls and had no security policies in place. Nor did Drizly hire someone to oversee the security of this information, said the FTC.
The Commission alleged that Drizly misled customers under section five of the FTC Act and that the lax security practices were unfair to consumers. The FTC targets companies that always harm consumers with poor security using this legislative tool. Still, one new thing stood out: the settlement also applied personally to Drizly CEO James Cory Rellas.
“The Commission’s proposed order will follow Rellas even if he leaves Drizly,” said the FTC. “Specifically, Rellas will be required to implement an information security programme at future companies if he moves to a business collecting consumer information from more than 25,000 individuals and where he is a majority owner, CEO, or senior officer with information security responsibilities.”
This might not hurt Rellas’ pocket or curtail his liberty, but it will likely be a blot on his CV, warns Borden. “That one should be more concerning than the criminal case,” he says. “If you’re a Board, especially of a public company, and you’re looking at when you bring this person on, there comes additional regulatory scrutiny. That is a very tough thing.”
The Drizly and Vaastamo cases also raise another critical point: the CISO might not be the only liable person. In Drizly’s case, there wasn’t a CISO to pin the issue upon. In the case of the Uber breach cover-up, evidence revealed that then-CEO Travis Kalanick knew about the breach and the cover-up. Orrick questioned why Kalanick wasn’t on trial with Sullivan, but Sullivan had declined to implicate him.
Personal liability (*gulp*)
Cover-ups are one thing, but can CISOs also be held personally liable for screw-ups? There have been far larger cases, such as the 2017 Equifax breach, that regulators put down to negligence. They punished the company, rather than individuals, in that breach.
“I’ve always been clear when I go into a company as a CISO that I cannot be accountable unless I’m on the board”Chris Cooper
There are no codes of conduct under which CISOs could be held professionally liable for cybersecurity negligence in the same way that civil engineers are, points out O’Connor. There are other potential avenues to pursue cases of personal negligence in the UK, but it seems unlikely that prosecutors would use them systematically.
Section 198 of the Data Protection Act allows for criminal prosecution of directors not just for connivance, but for neglect. The Privacy and Electronic Communications Regulations (PECR) will enable the ICO to personally fine directors up to £500,000 if their companies can’t or won’t pay up. A private party might also interpret a director’s failure to ensure adequate cybersecurity as a failed duty of care under the 2006 Companies Act.
There might also be industry-specific tools. For example, the Financial Conduct Authority’s Senior Managers and Certification Regime (SM&CR) is a three-part framework requiring financial companies to clearly allocate responsibilities to senior decision-makers. “If a firm breaches one of our requirements, the SMF responsible for that area could be held accountable if they did not take reasonable steps to prevent or stop the breach,” it says.
How to protect yourself as a CISO
How can CISOs, or those ultimately responsible for cybersecurity in an organisation, protect themselves? Ultimately, not acting in bad faith and showing that you did your best to fulfil your responsibilities is the best defence. However, that might be difficult if you don’t have enough resources or political power in an organisation to do your job properly. Chris Cooper, a member of ISACA’s emerging trends working group and CISO for managed services provider Six Degrees, points out that CISOs should always be clear about the reporting line and who is accountable for what.
“In different organisations, CISOs report into different parts of the company,” he points out. In one, they might be at the whim of the IT director. In another, the CFO. “That can change the dynamic of who can be responsible for something or not, so I’ve always been clear when I go into a company as a CISO that I cannot be accountable unless I’m on the board,” he adds.
Cooper also lays out the line of reporting and accountability in a short information security charter that he asks companies to sign off on. This charter has not been tested in court, but in the event of a serious incident, it clarifies his position and responsibilities in the company.
These early cases of personal liability for security decision-makers target those accused of misleading stakeholders. While some believe that the potential dangers to other CISOs remain limited, others fear that growing regulatory concerns could sweep up more security professionals in the future. For now, common sense applies: do your job properly, don’t lie about incidents – and have clear documentation in case someone tries to throw you under the bus.