Joseph Sullivan, the former Chief Security Office (CSO) of Uber, is facing major backlash after a criminal complaint was filed in federal court about his efforts to cover up the 2016 data breach that affected Uber. During his time as CSO, Mr. Sullivan was approached by two hackers that claimed they had accessed a database that contained nearly 57 million records of PII for Uber customers and drivers. Mr. Sullivan paid the hackers $100,000 USD through Uber’s “Bug Bounty” program in exchange for their silence and he sent a Non-Disclosure Agreement (NDA) for the hackers to sign, even though they never revealed their names or locations. Following that situation, Joseph Sullivan went out of his way to keep the information about the hack away from the ongoing investigation by the Federal Trade Commission. Since this incident, two hackers have plead guilty to computer fraud conspiracy charges in Northern California and await their sentences. Mr. Sullivan has been charged with obstruction of justice and misprision of a felony but has yet to make an appearance in court.
The main point that makes this case a little different is that Sullivan was designated as the company representative to give statements under oath to the FTC investigators about Uber’s previous breach, and he failed to disclose this one. His defense attorney stated that Uber’s legal counsel was responsible for making the decision not to disclose the breach and that Sullivan was just following their advice as he had to. Some people in the Infosec community have stated that CISOs and CSOs must follow the legal advice that the attorneys give, or risk being fired. However, this case brings up a whole separate issue of personal legal liability for CSOs and CISOs. The controversial issue here is not whether Uber should have disclosed the breach (of course they should have). The important question is whether it is the corporation that should hold liable or the Chief Security Officer personally.