Should a company’s security chief shoulder the blame for mishandling a cybersecurity incident? This question surrounds a current court trial - the first in history where an executive faces criminal charges concerning a data breach. Joe Sullivan, the former security officer at Uber, is allegedly responsible for covering up a hack and hiding the incident from the public.

 

  • The ride-sharing company suffered a data breach in 2016, which affected 57 million Uber customers and workers globally. Hackers gained access to 600,00 driver’s licence numbers and millions of names, emails, and phone numbers.
  • In many US states, the law requires companies to disclose breaches as soon as possible - but Uber waited a year after the breach to alert the public. As a result, Uber fired Sullivan, one of those who led the response to the breach.
  • Uber paid $148m in settlements because of this delay. Now, federal prosecutors are arguing that Sullivan tried to cover up the breach entirely by claiming the incident was part of Uber’s “bug bounty” program - where they incentivise benign hackers to unearth security flaws. Sullivan denies this alleged cover-up.
  • Much of the security industry is split over whether the responsibility for the breach lies at Sullivan’s feet. For some, other executives at the company and its board should be investigated and are equally culpable.

 

Why does this matter for businesses? 

  • This case could set a precedent for whether cybersecurity professionals can be held personally accountable for seemingly failing to protect and report their companies from cyberattacks and breaches.
  • Many cybersecurity professionals are concerned about their personal liabilities going forward. Anecdotal evidence suggests that many are asking for personal insurance protection.

 

Read the full article