In early October, the US Department of Justice announced that a verdict had been reached in the case against former Uber CISO Joe Sullivan, finding him guilty of two counts associated with covering up a data breach at the company. What made the Uber data breach case particularly noteworthy was that it was not seeking to recover costs or damages for those affected by the breach, which would typically be civil charges, but was filed as a criminal charge for obstruction of the proceedings of the Federal Trade Commission.
This important distinction raises the bar on potential personal risk any CISO is taking on. A guilty verdict in criminal cases becomes part of an individual’s record, and penalties can even include incarceration, although sentencing has not yet been concluded in this case. Clearly, the U.S. Attorney’s office was looking to set a precedent with the Uber security breach case to discourage those in the CISO role from hiding any information that legally must be disclosed under various privacy protection laws.
So now, in addition to worrying about the potential harm incidents like an Uber breach may cause to a company’s brand or to the CISO’s reputation and future job prospects, do we need to add concerns about the possibility of personal fines and jail time? Importantly, what protections and resources should every CISO make sure are in place to avoid assuming personal risk?
Expert Panel Shares Actionable Advice for CISOs
Last week, Aqua convened a panel of experts to discuss what the Uber data breach verdict means for those currently in a CISO (or equivalent) role, CISOs expecting to accept a position at a new company, as well as anyone thinking about becoming a CISO in the future. The focus of the conversation was not on this particular case (we’ll leave that to the courts, thank you), but rather on a few key areas:
- Before you take the job, what questions do you need answered to make sure you are properly protected?
- What insurance is necessary to cover you in the case of any alleged crimes, not just errors or omissions?
- How does the structure of the organization impact your ability to manage personal risk?
- What can you do in the role to avoid situations that could expose you to criminal charges?
Our panel included Jim Routh, former CISO for a number of large financial and health care enterprises who is also an active advisor to several current CISOs and corporate boards; Kimberly Peretti, partner from Alston & Bird LLP, a well-known law firm which is often engaged in assisting companies in responses to breaches and defending them from suits; and Susan Friedman, Senior Vice President from Gallagher, a global insurance/risk management consulting company in areas of protection for corporate officers as well as coverage for cyber risk. You can view the full webinar by visiting our LinkedIn page. But let me share a few of the things that I found particularly interesting.
Before You Sign That Offer…
In recent years, a key protection sought by many CISOs as part of their employment package has been severance protection. The CISO is often the most obvious candidate to take the blame in the case of a breach, even in cases where everything from core security to disclosure was done right and making sure that you protect your income makes sense. But the panel noted that with the Uber data breach verdict, it is now just as important to have liability protection in the form of D&O insurance (Directors and Officers Insurance). Though this protects covered individuals from a range of claims, the panelists however pointed out a few important elements. It is essential to make sure the CISO role is specifically covered, even if you are not an actual officer according to company bylaws, and to try to get coverage that extends beyond post-employment, up to and over three years. Ask for a copy of the policy from HR or the Chief Risk Officer and look carefully at any exclusions.
As a side note, even if you are already in a CISO role at your company and did not review these documents pre-employment, given this new verdict, it is reasonable to raise this as a discussion item now. With support from your CEO, you can likely get the items our panelists addressed, even getting bylaws updated to include the CISO, or at a minimum, adding the role to your policies.
Are You in Control of the Decision to Disclose?
It is almost always a very stressful situation when events like the Uber data breach are discovered. But what can make it even more difficult is if the discussions, and ultimately the decisions, are happening without your involvement. The panel flagged this as an issue for some CISOs, resulting in directions from executive management to limit disclosure. Your best option is to ensure you can be present whenever these topics are discussed, and that legal counsel is also present. Furthermore, make sure these decisions are well documented.
Some Tips and Best Practices to Stay in Compliance
On the topic of legal involvement, the panel recommended CISOs involve the legal team early and often. Of course, you don’t need to consult them with every incident your team responds to but rather when it becomes clear that a breach has occurred which may have exposed sensitive data. The question of whether you need to disclose, and when, is probably not something you want to answer on your own.
There is an important area you should understand along with your legal team, which relates to attorney-client privilege. Essentially, the information you share with your attorney (whether corporate lawyers or a personal attorney you may choose to hire) is treated as confidential. However, this gets complicated very quickly in areas of security. Because it is essential to learn from past events to build more resiliency against future threats, some information is best shared. Your legal team can help determine the optimal approach, but it can only do so if you have open lines of communication.
Having defined processes for how the company will respond to incidents and breaches is something all security teams likely have in place from a technical perspective. But the panel encouraged CISOs to make sure it goes further, covering both when legal is notified and when the board is informed. Well-defined policies help eliminate any gray areas where some stakeholders might disagree on whether a breach is material or not.
Our panelists went even further, encouraging organizations to extend their current “tabletop” security exercises to go through the whole cycle of engaging legal, board notification, and simulated external disclosure. Practice will flag areas needing more clarification and reduce panic in the wake of a real breach.
Is the Juice Worth the Squeeze?
There were many more pearls of wisdom our panelists shared over the course of the webinar, which concluded with a question of whether our panelists would go so far as to recommend that people take on the CISO role given this new level of potential risk. I’ll leave that for you to discover when you watch the webinar for yourself. But if you do feel the “calling to serve” as our CISO panelist describes it, please make sure you have the support and resources our panelists shared, and that your consultations are all well-documented. In the end, it’s now clear that CISOs should not only tend to their companies’ risks but also consider the personal risk their role might bring themselves.
View the complete webinar Uber Verdict: The CISO, The Law, and The Door! with key insights from security leaders like Advisor & Investor Jim Routh here.