Skip navigation
Menu
Opinion
Data Breach on laptop keyboard. Isolated text on theme of internet security. JBStock / Alamy Stock Photo
Industry Perspectives

What the Uber Breach Verdict Means for CISOs in the US

Can already beleaguered CISOs now add possible legal charges to their smorgasbord of job considerations? Disclose a breach to comply and face dismissal, or cover it up and face personal punishment.

This is a challenging time to be a CISO. The security community has been eagerly following multiple stories regarding Uber in the past few weeks. From the play-by-play of their recent major hack, to last week's guilty verdict of former Uber security chief Joe Sullivan, CISOs are facing considerable challenges.

The verdict in the Sullivan case found him guilty of obstructing a federal investigation and concealing a felony from the government. According to the New York Times: "Stephanie M. Hinds, the US attorney for the Northern District of California, said in a statement: 'We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.'"

Related: JetBlue CISO Tells Data Centers to Concentrate on Threat Actors

The government is sending a message to CISOs in the US — disclose and potentially lose your job, or cover up and go to jail. If they disclose information to the government, they meet compliance regulations, but their job will be on the line. A breach, especially one in which personally identifiable information (PII) is compromised, will result in a lawsuit and the CISO will likely get fired.

But the punishment for noncompliance, inability to demonstrate full disclosure, or any gray zone in the middle is now personal (unlike other regulations where noncompliance results in fines for the company). Covering up a breach, in the Uber case, and then further hiding details of the hack in the context of a federal investigation, can result in prison time.

This case also brings to light a new challenge for CISOs: "What did you know?" Concealing information is an important part of this case and verdict. Hiding information by saying "I didn't know" isn't an answer for a CISO with a data breach — it reflects negligence at best and is at worst a lie. Security teams need to know — and most likely do know about their security posture, from the many security tools they use — and what they know can't be concealed.

The Sullivan case has enormous gravity for the security industry. What can we expect from CISOs? Are these expectations fair?

Managing Expectations for CISOs

According to proposed legislation, the expectations are as follows. From the Form 8-K (6-K) Disclosure About Material Cybersecurity Incidents (PDF) — the following rules will be added:

Continue reading on our sister site Dark Reading

TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Hardware in the server room. Diagnostics.
Report: Cloud Infrastructure More Susceptible to Cyberattacks, Say CISOs
Sep 15, 2022
An image of the Intel logo at an office building
What Keeps Intel’s CISO Up at Night?
Aug 21, 2015
GettyImages-1087121574.jpg
When Internet Speed Isn’t Fast Enough, Data Transport Devices Can Fill the Gap
Apr 22, 2024
cloud computing illustration
Four Strategies to Meet Changing Demands on Your Data Center Infrastructure
Apr 10, 2024