Recent Verdict Against Uber CISO is a Game Changer
In early October, the US Department of Justice announced that a verdict had been reached in the case against former Uber CISO Joe Sullivan, finding him guilty of two counts associated with covering up a data breach at the company. What made the Uber data breach case particularly noteworthy was that it was not seeking to recover costs or damages for those affected by the breach, which would typically be civil charges, but was filed as a criminal charge for obstruction of the proceedings of the Federal Trade Commission. This important distinction raises the bar on potential personal risk any CISO is taking on. A guilty verdict in criminal cases becomes part of an individual’s record, and penalties can even include incarceration, although sentencing has not yet been concluded in this case. Clearly, the U.S. Attorney’s office was looking to set a precedent with the Uber security breach case to discourage those in the CISO role from hiding any information that legally must be disclosed under various privacy protection laws.So now, in addition to worrying about the potential harm incidents like an Uber breach may cause to a company’s brand or to the CISO’s reputation and future job prospects, do we need to add concerns about the possibility of personal fines and jail time? Importantly, what protections and resources should every CISO make sure are in place to avoid assuming personal risk?