Guilty for data breach cover up - Privacy Compliance Hub

Last month, Joe Sullivan, Uber’s former chief of security, went on trial in California for his handling of a 2016 security breach. On Wednesday 5 October, a jury found him guilty.

Experts believe the case could change how security professionals and their companies handle data breaches. Commenting after the verdict, one told The New York Times: “The way responsibilities are divided up is going to be impacted by this. What’s documented is going to be impacted by this. The way bug bounty programmes are designed is going to be impacted by this.”

According to the original complaint, Sullivan learned in 2016 that hackers had secured access to the personal data of 600,000 Uber drivers and information associated with 57 million riders and drivers. He then directed those responsible to the company’s bug bounty programme, which offers financial incentives to those who find security vulnerabilities.

Uber paid the two hackers $100,000 in Bitcoin and made them sign non-disclosure agreements (NDAs). The hackers later pleaded guilty for their role in the hack, alongside a separate hack against Lynda.com (now LinkedIn Learning). But Uber did not disclose the incident to its customers or inform the US regulator, the Federal Trade Commission, which was already investigating Uber over its privacy and security practices in 2016.

The incident came to light in 2017 by the incoming CEO, Dara Khosrowshahi, who fired Sullivan and paid an agreed $148m to settle claims it had been slow to reveal the hack.

Sullivan, who is now CSO for Cloudflare, had pleaded not guilty. The verdict is a fall from grace for the former federal prosecutor, who has also spent time at Facebook and eBay. He will now wait to hear whether he will face jail at a yet-to-be-scheduled sentencing hearing.

The poisoned chalice

The verdict was a surprise to many working in this sector. Sullivan claimed he had internal legal advice that suggested there was no need to disclose the hack if the culprits were identified and agreed to delete the data. But court testimonies and documents revealed he did not disclose the hack to Uber’s general counsel, although he did discuss it with Craig Clark, another Uber lawyer.

Clark was also fired by Khosrowshahi in 2017 but was given immunity by prosecutors in exchange for testimony against Sullivan. He said Sullivan had told the Uber security team they needed to keep the breach secret and that Sullivan had changed the NDAs to falsely claim the hack was ‘white-hat research’.

CISO is admittedly not an easy job. Security officers have to juggle multiple priorities, build good working relationships with other leaders, and develop a culture of privacy by design. Staff need to feel comfortable reporting any security breaches – potential or actual – to the CISO without fear of being blamed. But it was Sullivan’s own dishonest actions in covering up the data breach and obstructing the course of justice, by not telling the authorities about the hackers at the time, that saw him in the dock.

Threats of litigation

With the number of data breaches at an all time high last year, this isn’t an issue that’s going away anytime soon. And while criminal proceedings aren’t commonplace, data breaches can lead to fines and penalties, loss of reputation and customers, and civil litigation. Following a hack in 2020 of the software company SolarWinds Corp, investors filed a class action against the company and its executive team, including security chief Tim Brown. Gartner predicts 75% of CEOs will be held personally liable for security incidents by 2024.

According to research by Norton Rose Fulbright of general counsel and in-house litigation practitioners, cybersecurity and data protection are expected to be among the top drivers of new legal disputes in the future. More sophisticated attacks, less oversight of employees and concerns about the amount of client data stored have all combined to make two thirds of survey respondents feel more exposed to these types of disputes.

All of this is unsettling for security chiefs, who are reportedly taking a rising interest in directors and officers’ insurance, which cover the legal expenses of those sued as a result of their work with a company. Others are turning down CISO jobs for fear of being in the firing line.

Could this happen in the UK?

CISOs in the UK shouldn’t fear criminal prosecution as long as they don’t seek to cover up data breaches. The rules on breach reporting in the UK GDPR are clear and straightforward. The regulators are also available to offer advice. What Sullivan’s case does highlight is the importance for all companies of documenting the decisions made by whom and why, when a data breach occurs. It probably also highlights the need for CISOs to have a clear reporting line to the board so that collective responsibility is taken for decision making in relation to data breach, cyber attack and bug bounties.