ACAs Ars Technica reports, ex-Uber security head Joe Sullivan’s conviction on charges related to concealing a massive data breach from regulators is seemingly the first hack-related criminal prosecution of an executive. When the Federal Trade Commission was investigating a different data breach in 2016, Sullivan discovered the second breach, which he kept hidden by paying the hackers through Uber’s bug bounty program.
Stephanie M. Hinds, the U.S. attorney for the Northern District of California, indicated that Sullivan’s case demonstrated what not to do in the event of a cyberattack. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” Hinds told The New York Times in a statement. “Where such conduct violates the federal law, it will be prosecuted.”
As Wired reports, CSOs are already referred to as “chief sacrificial officers” or “chief scapegoat officers,” and many worry that Sullivan’s guilty verdict will make recruiting qualified executives more difficult. Anthony Vance, a professor and researcher at Virginia Tech who specializes in cybersecurity issues, told the magazine that the conviction will have “a chilling effect.” One concern is that the case will leave a false impression that security executives should never pay hackers to keep data safe.
The role of chief information security officer has changed as a result of the conviction, according to CSO. A big lesson for security executives, the website notes, is that they should document even their tiniest decisions and be ready to defend them to regulators if necessary. Such documentation could keep them out of court.
The conviction has also drawn attention to a lack of corporate transparency around hacking, as Bloomberg reports.
Sullivan’s case might not be the last. Ilia Kolochenko, founder of IT security firm ImmuniWeb, told eSecurity Planet, “In the future, we will likely see more CISOs, DPOs and board members civilly liable or even face criminal prosecution for security or privacy incidents.”