CSOs and CISOs across America have been watching the events of the Sullivan case unfold over the past couple months and many are understandably dismayed at the conviction.
This blog post will walk through the facts at a high level, including the circumstances that eventually rose to the level of criminal charges in the first place and the critical lessons CISOs can learn from this case.
Joe Sullivan, former chief security officer (CSO) for Uber was convicted of federal charges stemming from payments he quietly authorized to hackers who breached the company in 2016. There are many - and I mean many - topics we could dive into about what executive did or didn’t do what, should or shouldn’t have done what and should or shouldn’t have authorized what. Or about how to handle bug bounty program reports, but I’m writing this blog post with one purpose: to explain how the heck Sullivan ended up facing criminal charges.
Sulivan was charged with and ultimately convicted of obstruction of justice and misprision of felony. (I will give a $10 coffee/tea, Topo Chico or cocktail gift card to the first person who correctly identifies an episode of any variety of Law & Order in which someone names this charge – DM me on LinkedIn!). Here is an oversimplified version of the major points you need to know to understand how Sullivan ended up in criminal court.
Humorous Example:
No prosecutor is involved here; we’re not in criminal court yet. The FTC does not have the power to take away someone’s freedom for even egregiously mishandling consumer information (or misrepresenting its security protections). The FTC has the authority to protect consumers from unfair or deceptive practices, think false advertising about security or privacy protections for your personal information.
Here’s what we know at this point in this blog post: While under FTC Investigation into Data Breach #1, Uber sustained Data Breach #2 and did not report it to consumers as required by law.
A company’s failure to notify consumers about a data breach - or even a second data breach - as required by law would not typically result in criminal charges for any executives, much less a CSO or CISO. So why criminal charges against Sullivan?
Bear with me for a couple more paragraphs.
During an FTC investigation, the FTC can issue a civil investigative demand (CID), which is akin to a subpoena or discovery request, to gather evidence to help it decide whether the company’s business practices were deceptive. The FTC uses CIDs to compel a company to hand over documents and/or write answers to questions in response to specific requests in the CID and/or make witnesses available to be interviewed.
Why should you care? It’s relevant to the criminal charges.
In a case like FTC Investigation into Data Breach #1, the CID would almost certainly include something along the lines of: Describe any security incidents you have sustained. As you can imagine, providing information to the federal government (e.g., in response to a CID) requires truthful and complete answers. When companies submit responses to CID requests, they must also submit a certification signed by a corporate officer attesting to the fact that the information submitted in response to a CID is truthful to the best of the officer’s knowledge. Witnesses who are interviewed by the FTC also promise to be truthful in their interviews.
Mildly Humorous Example:
In FTC Investigation into Data Breach #1, the CID required Uber to disclose security breaches it had sustained, including via interviews with several company executives, including Sullivan. While the FTC Investigation into Data Breach #1 was ongoing and Sullivan was supposed to disclose (truthful, complete) information to the FTC, Sullivan learned about Data Breach #2.
His failure to disclose Data Breach #2 while under oath gave rise to the two criminal charges that led to his eventual conviction.
Many in the industry anticipated his acquittal because, until this time, personal liability for corporate decisions have not been punished to this extent.
Prosecutors argued in Sullivan’s case that:
CSOs and CISOs—Sullivan’s conviction is being appealed and we won’t know the ultimate outcome for a while. But, in a worst-case scenario CISOs could face liability, including criminal charges. A CEO is not the only executive who could be on the hook for ensuring information is disclosed to the government when required. If similar circumstances occur in your organization, where you feel a decision is being made to refrain from reporting something reportable, you can always talk to a lawyer or look into possible whistleblower protection.
While the results of the case may be shocking, I wouldn’t lose too much sleep worrying about possible prison time. I would take this as an opportunity for CISOs and others in the infosec industry to advocate for better security program components in governance, awareness and assessments.
CISOs can (keep) push(ing) their companies to establish clear governance policies and procedures. Governance is becoming an increasingly hot topic (Cybersecurity Governance may be a new category in the NIST Cybersecurity Framework v 2.0 currently in development). Try to get your organization to put important details in writing: identify decision-makers on critical issues, lay out the reporting chain of command and process for alerting executives when needed, and the details of the CISO/CSO’s authority. In governance policies or a charter formalizing the CISO/CSO’s role, in addition to listing the responsibilities for your role, it can be more important to list areas that are not your responsibility.
If you are doing what you’re supposed to, document that you did what they were supposed to do. Record-keeping is an important part of compliance anyway and don’t leave yourself out. Train your team and the organization at large about how to respond to incidents and what the company expects of them. If nothing else, try to have a discussion with your CEO or others about their expectations for disclosing cybersecurity incident-related information so you have a sense of where you stand. You could consider running a tabletop exercise using a scenario modeled after Sullivan’s real life scenario to help decide how it could or should play out.
CISOs (with budget) need a cybersecurity and privacy law firm to do a full assessment and review their full program and beef up the parts that aren’t up to par. More often than not, CISOs/CSOs are not the ones standing in the way of dedicating time to comprehensive assessments and reviews. Perhaps you can garner some support for your budget or time requests from the Sullivan situation.
If your company does not prioritize cybersecurity (perhaps for legitimate reasons) and you feel woefully under-supported then think about whether you’re comfortable in your role or should check out other possibilities.
ZeroDay Law can help with all aspects of cybersecurity and incident response services and offers additional expertise in law and privacy law. Services include incident response planning, tabletop exercises, risk assessment and compliance programs, and privacy and cybersecurity law professional development and consulting.
Which cybersecurity services and incident response services are the right fit for your organization? ZeroDay Law can help you protect your organization! Take a look at our list of services and contact our team with any questions.