Guilty Verdict for Breach Cover-Up a Reminder to Maintain Playbooks, Legal Cover
Should CISOs be running scared in the wake of the Joe Sullivan verdict?
Numerous legal and security experts say the answer to that question is a resounding “no.”
True, a federal jury this month found the former Uber CSO guilty of a criminal data breach cover-up over a security incident resulting in the exposure of records for approximately 57 million of the ride-hailing service’s users and 600,000 driver’s license numbers.
But the case against Sullivan hinges on circumstances other security professionals seem unlikely to ever face. In part, Sullivan had been designated by Uber to be the corporate officer who would provide sworn testimony to the Federal Trade Commission while it probed the ride-hailing platform’s security practices and procedures. Because he didn’t inform the FTC about a new security incident, a jury found him guilty of obstructing the investigation.
“There are a lot of unique facts here” that makes this case “more of an outlier,” says Imran Ahmad, partner and head of technology at law firm Norton Rose Fulbright. “From my perspective, I’m not sure there’s a ton that can be applied across all organizations – a blanket approach to it in terms of how the courts are looking at these issues.”
Security experts say one clear takeaway from the case is the need to proactively develop and maintain well-defined incident response playbooks. These will detail not just an organization’s technical response but also coordination with business operations and processes, including crisis management and legal input.
Such playbooks help ensure that parts of the organization responding to an incident – not just security teams, but also legal – have a written set of policies and procedures for what to do and when, including who to notify and alert along with which types of information they need to provide.
No playbook could have predicted the precise set of circumstances Sullivan and Uber faced, given the nuances of the FTC investigation. With that in mind, Ahmad says incident response playbooks must also feature a top-down mission statement to guide the response. He recommends they advocate for erring on the side of transparency when dealing with stakeholders, be they “board members, shareholders, employees, customers or regulators.”
Having to inform someone about a breach can be painful, and a business won’t always decide that it must do so. “But generally speaking, you will get some brownie points by disclosing, even if it hurts short-term,” he says. “Longer-term, you’re probably going to be better off.”
Security Incidents Are Chaotic
As anyone who has worked a security incident knows, responding to an incident is often a chaotic, stressful endeavor that involves sleep deprivation.
“One of the problems is that in any incident response, there’s going to be miscommunications, there’s going to be incomplete communications, there’s going to be a failure to communicate. There’ll be you told somebody one thing and didn’t tell somebody else something else,” said cybersecurity legal expert Mark Rasch, who’s of counsel to Kohrman Jackson & Krantz LLP, in an interview about the Sullivan verdict with cybersecurity analyst Richard Stiennon.
Rasch says that as an attorney, he has two rules. “Rule number one is: The lawyer doesn’t go to jail. Rule number two is: The client doesn’t go to jail, unless this conflicts with rule number one.”
Security professionals, he says, should have a similar mindset, and “get cover” from the legal team for their course of action. “So as a CISO, your first rule is: The CISO doesn’t go to jail. But that’s also difficult, because a lot of these questions – about ‘Is this legal? Is it not legal?’ – are vague and murky,” he says.
One strategy for CISOs is to build consensus by communicating what’s happening to other relevant parts of the organization and trying to get executives to understand the situation as best they can. “Keep everyone informed and do it in writing, and possibly do it in writing in privileged communications. Understand who makes the ultimate decision,” Rasch says.
In the wake of the Sullivan verdict, “in the short term, what’s going to happen is CISOs are going to dump everything on the general counsel,” over fears that what they do won’t just get them fired – which comes with the job – but potentially incarcerated, Rasch says.
If a CISO attempts to keep everyone informed but gets advice they disagree with – for example, if the general counsel doesn’t think a security incident is a notifiable breach, but the CISO does – they have other options. They can quit, for example, or potentially turn whistleblower.
To repeat Rasch’s guiding principle: “Your first rule is: The CISO doesn’t go to jail.”