Federal prosecutors won a conviction against Joe Sullivan this week for his actions in handling a 2016 data breach while he was Chief Security Officer (CSO) at Uber. Specifically, he was convicted of obstruction of proceedings of the Federal Trade Commission (FTC) and misprison of a felony due to his attempted concealment of the breach. This was the wrong result and a lost opportunity for the federal Government to send a real message and set an example on cyber governance.
Uber logo
Getty ImagesIt was the wrong result because it was the wrong case: it laid blame on the CSO instead of the company’s directors and officers (D&Os). Sullivan was convicted for failing to report a data breach, which is not a crime, but the government made it into a crime by asserting that his payments to the hackers “concealed” the attack to Uber, and that his failure to report the data theft “obstructed” an already existing FTC investigation.
But both of these theories depend on the notion that it is the obligation of the CISO/CSO – and not the General Counsel or CEO – to report data breaches. Instead, prosecutors should have targeted Uber’s board and C-suite – at least Travis…
