During Joe Sullivan’s sentencing, the judge drew a clear line in the sand - from now on, anyone else who finds themselves in his position will be sent to prison. U.S. District Judge William Orrick said: “If I had a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be in custody.”
Joe Sullivan might have benefited from being first, but future outcomes of similar cases might be very different. Disclosing a breach immediately might still not be enough to safeguard CISOs - how they respond to an attack can also be scrutinised and potentially lead to lawsuits. Meanwhile, regulators are tightening the leash, putting more pressure on companies to make rapid disclosures and enhance their transparency, and civil litigation is also a risk.
All of this creates a legal minefield for security chiefs, who can be held personally liable. They’re being asked to walk a tightrope: upholding the law while keeping breaches undisclosed where they can to protect their business’s reputation.
So, what can CISOs do to avoid similarly sticky situations? To start with, Joe Sullivan himself admitted that one fatal error he made was not consulting outside counsel on how to handle the breach. Uber’s in-house legal team was also largely kept in the dark.
Why does this matter for businesses?
- CISOs should work more closely with legal so that during an incident they know their legal basis for handling it. All of that can be coordinated and arranged ahead of time through retainer services.