Where should the buck stop? Risks to CISOs in today’s regulatory environment

Joseph Sullivan, Uber’s beleaguered former Chief Information Security Officer, was back in the news last month when he appealed his 2023 conviction for his role in concealing a 2016 breach of Uber’s network and customer data. 

Mr. Sullivan’s conviction sent shock waves throughout the cybersecurity and privacy communities, especially the already overstressed CISO community, because it represented the first time that a CISO of a major company was criminally convicted for concealing a data breach.

Sullivan’s conviction was followed months later by a lawsuit against SolarWinds and its CISO, Tim Brown, brought by the Securities and Exchange Commission. The SEC alleged the company and Mr. Brown downplayed the effects of an infamous cyberattack that occurred in 2020.  (The SEC lawsuit has since been dismissed.)

These events provide common lessons for key stakeholders to remember when responding to cybersecurity breaches. They also raise an important question: Who has the final say and responsibility for companies responding to a breach? Or, to the cynic, who is the designated scapegoat when things go wrong?

Uber 2016 data breach

On the surface, Uber’s 2016 data breach and its initial response were not unlike events that companies face every day. After learning a hacker accessed its network and removed 57 million customer records and driver’s license numbers for 600,000 Uber drivers, CISO Sullivan (on Uber’s behalf) paid $100,000 under Uber’s “bug bounty” program in exchange for a promise from the hacker not to release information about the breach or personal information obtained in the breach. Uber also had the hacker sign a non-disclosure agreement. During his trial and sentencing, Mr. Sullivan (himself a former cybercrime prosecutor) emphasized that he negotiated the payment and the NDA to protect the stolen information from further misuse. Although this may seem unsavory to many, it is an unfortunate reality that many ransomware victims face every day. 

Although Uber’s payment itself was unextraordinary and the scope of affected data was large but not unprecedented, it occurred while the Federal Trade Commission was investigating a breach that Uber had reported two years earlier, in 2014. Despite the active investigation, neither Mr. Sullivan nor Uber disclosed the 2016 data breach to the FTC. Moreover, Mr. Sullivan did not report the breach to Uber’s new leadership, which had assumed command in 2017, although the previous leadership (including then-Chief Executive Officer Travis Kalanick) were aware.  Even worse, Uber never notified drivers whose driver’s license numbers were stolen, despite state data breach notification laws. (The only records stolen that related to customers were name, phone number, and email address, none of which is considered personally identifiable information under breach notification laws.) 

Once the breach became public, significant fallout ensued. Mr. Sullivan was fired by the new CEO, the FTC expanded its investigation to include the 2016 breach, and the FTC expanded the scope of 2017 settlement with Uber, taking additional steps. And, of course, Mr. Sullivan was criminally prosecuted, and ultimately convicted, for obstructing the FTC’s investigation.

SolarWinds 2020 cyberattack

Unlike Uber’s Mr. Sullivan, Tim Brown, the CISO for SolarWinds, was not criminally prosecuted. However, he found himself at risk of being personally liable for his role in responding to a widespread data breach that occurred in 2020. The cyberattack, orchestrated by Russian hackers, affected thousands of SolarWinds customers and, not coincidentally, also affected the company’s stock price. The SEC alleged that SolarWinds and its leadership downplayed the impact of the cyberattack and misled shareholders in the process. (The SEC now has a 96-hour reporting deadline for material cyber incidents, but it was not in effect at the time.) 

As part of its effort to increase its emphasis on cybersecurity issues, the SEC filed suit against SolarWinds and Mr. Brown personally as the company’s CISO.  As with Mr. Sullivan’s prosecution, the claims against Mr. Brown were unprecedented. However, Mr. Brown prevailed when the claims against him were dismissed.

Are CISOs the scapegoats?

As a result of the Sullivan prosecution and the Brown lawsuit, many CISOs justifiably wonder whether they are next to face criminal charges or personal liability for a breach. Mr. Brown publicly called for tighter and uniform industry restrictions and regulations, a “Sarbanes-Oxley for cybersecurity.” 

Such a law would reflect the risk that a major cyber event could pose to businesses and (especially) consumers. It would also align with recent calls for more private-public partnerships to close cybersecurity risk gaps.

Mr. Sullivan believes that CEOs and other executive leadership could and should also be held accountable for data breaches, noting that CEOs often define a company’s risk posture and external messaging. In Mr. Sullivan’s view, as cybersecurity becomes a more pressing issue, it also becomes less the burden of the CISO and more an issue for all leadership, much like finance became in the wake of several high-profile scandals. It appears that there is support for Mr. Sullivan’s view on Capitol Hill. As an example, when Congress investigated the cyberattack on Change Healthcare that upended the health care industry, it called the company’s CEOs to testify but did not summon the CISO.

Lessons for companies

It may be tempting to brush off the actions against CISOs Sullivan and Brown as exceptions, but that would be a mistake. Since these cyberattacks, regulatory oversight has expanded, requiring proactive and transparent reporting to the authorities. Companies in regulated industries need to understand their reporting requirements when developing their incident response strategies. If they fail to do so, they risk fallout. 

Regarding our original question, where should the buck stop? CISOs will always play a vital role in responding to events, but they are only one piece of the puzzle. A company’s entire leadership needs to be involved in implementing the policies and processes that govern the company’s cybersecurity and incident response. “If you see something, say something” applies to cyberthreats. If you are unsure of what to look for to gauge your company’s readiness, we can help.

The Constangy Cybersecurity & Data Privacy team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, contact us directly at cyber@constangy.com.   

  • Bert  Bender
    Partner

    Bert is a member of the Constangy Cyber Team and is based in Philadelphia, Pennsylvania. As a member of our incident response team, Bert applies several years of experience managing responses to data privacy and security incidents ...

  • Melissa J. Sachs
    Partner

    Melissa Sachs, CIPP/US, CIPP/E, is a Partner and member of the Constangy Cyber Team based in Philadelphia.  With a focus in privacy law, she brings extensive experience providing both incident response and proactive compliance ...

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Subscribe

* indicates required
Back to Page