Uber breach case a ‘watershed moment’ for CISOs’ liability risk

Since former Uber CSO Joe Sullivan was charged in August with two felonies for failing to report a 2016 breach that exposed 607,000 personal records, CISOs are scrambling to determine their own personal liability for breaches in their organizations. The charges — obstruction of justice and misprision of a felony (failure to report a crime) — carry with them the potential of jail time of up to five years and three years, respectively.  

“This is a watershed moment,” notes Robert Rodriguez, chairman of SINET and a former special agent with the US Secret Service. “CISOs differ on the matters of disclosure, who notifies law enforcement, and the way directors and officers (D&O) indemnity insurance is designated.”

Most CISO’s agree that the best way to reduce liability is to do the right thing. In this case, that would have been to report the breach to law enforcement, with or without the support of upper management. In fact, 70 of the 100 CISOs polled during a virtual briefing by Sullivan’s legal team in September said it was common practice at their organization for the general counsel’s office to notify authorities when a cybersecurity incident occurs.

“At the end of the day, Uber’s CSO still covered up a breach that he was required to report,” says Lynn Mattice, formerly CSO at Northrop, Whirlpool and Boston Scientific and who now runs an enterprise risk management consulting practice. “There is no right way to do the wrong thing.”

The crime and the cover-up

While the Uber CSO may have thought that paying the hackers to get the data back was a way of protecting the data, there were no guarantees that the stolen data was scrubbed from the hackers’ systems, so it still should be reported, he continues. The FBI release also indicates that there is still an outstanding third party who fed the vulnerability data to two data thieves, who have been caught and charged in this case.

Covering up the crime prevented the FBI from catching the attackers before they could cause more damage to other victims, according to the FBI release and summons. However, Sullivan’s legal team disagrees, saying in a written statement that, “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all.”

Before this case, the most common liability CSO’s faced in breach situations was being thrown under the bus and losing their jobs. People close to Sullivan feel that this is what happened to him, but with much more serious consequences.  

Uber’s general counsel and then CEO Travis Kalanick were never charged after claiming that they didn’t fully comprehend the actions being taken by Sullivan at the time. Sullivan’s team flatly disputes that version of the story.

“From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber in accordance with the company’s written policies,” says Sullivan’s statement. “Those policies made clear that Uber’s legal department—and not Mr. Sullivan or his group—was responsible for deciding whether, and to whom, the matter should be disclosed.”

Kalanick was distracted by other business scandals at the time, including accusations of driving toxic work environment, which led to his resignation in 2017. Sullivan then reported the breach to the new CEO, but the FBI charges that he falsified data in that report to cover up the timing of the breach and the type of data that was copied out of the Uber systems.

A good plan goes a long way

This confusion around who reports what, to whom, and under what circumstances must be sorted out and fully established before a breach, says Stevan Bernard, former executive vice president of global protection services for Sony Pictures Entertainment. “Ethics policy should be clearly understood, chain of command well established, roles and responsibilities well defined, agency reporting requirements established and agreed,” he advises. “The legal department may want to engage outside counsel to ensure privilege is maintained and objectivity is well established, as well.”

By following this advice, Bernard saw Sony Pictures through a nation-state attack reported in 2014 that was intended to exfiltrate and destroy their data and embarrass the company in the process. Sony’s pre-established relationship with law enforcement was essential to resolving the case, according to Bernard. Additionally, the response team engaged other third parties to assist with forensic investigation, recovery and business continuity.

Throughout the breach response and reporting process, communicate clearly to the chain of command, make sure they all understand the documentation, and keep good records, says a CSO at a consumer products company who asked not to be named. “It appears that the lawyer engaged at Uber at the time claims not to have properly understood what his CSO was doing. This is why CSOs need to make sure that ‘stupid’ is not an excuse and ensure that information is clearly communicated,” explains the CSO. “General counsel, the CEO, the board — they all need transparency and to acknowledge that they understand the issues. Keep meticulous track of who you reported it to inside and outside of your organization.” 

Are bug bounty programs a liability?

Because this case involved paying off the bad guys under the guise of Uber’s bug bounty program, CISOs are split on whether or not their bug bounty programs are now a liability. Nearly half (47%) of the CISOs at the Sullivan case briefing said they treat vulnerability disclosures from bug bounty programs as security incidents.

CISOs are also wondering if paying ransomware operators is the same as paying off the hackers who demanded money in this Uber case. When asked about paying ransoms, the FBI recommended that businesses not pay them, adding that the ultimate decision on whether to pay the ransom lies with the victim organization. “Even if a victim chooses not to follow FBI recommendations regarding the payment of ransoms, the FBI will still investigate the underlying crime and treat all victims with dignity and respect,” wrote an FBI representative.

In a recent blog, Ben Wright, a well-known cyber attorney and instructor at SANS, explains the differences between a bug bounty program and an uninvited ‘researcher.’ The differentiator in this case, he says, is that legitimate bug bounty programs will never follow through with the exploit and remove sensitive data, which is what occurred in the Uber case.  

By 2024, CEOs (rather than CISOs) will primarily bear the liability for cyber-physical security, according to Gartner. While the federal agencies contacted for this article will not share more detail of why the CISO and not general counsel or the CEO were charged in this case, Wright and other legal experts say that evidence will likely come out in discovery that reveals why these charges were only directed at the CISO.

Limiting your risk 

CISOs should read their employment contracts carefully and not sign anything that puts the responsibility for breaches on the CISO. “Use your contract to set the proper expectations. Breaches will happen,” explains Bob West, former CISO and managing partner of West Strategy Group. “Are you properly prepared? Are you doing what’s commercially reasonable to ensure you address it properly?”

Look into CIO/CISO-level coverage through the company’s D&O insurance. Only 30% of the CISOs polled at the Sullivan case briefing said their organization’s D&O insurance covered their title.

However, if proper ethics and procedures are not followed, don’t expect to insure yourself out of a mess of your own creation. “Leadership should review all cyber-related insurance policies,” suggests Bernard. “Understand what is covered and what is not. For example, when policies require certain actions, make sure you are compliant.”