Joe Sullivan, the former Chief Security Officer (CSO) of Uber, was sentenced on May 4, 2023, to three years of probation for felony obstruction and misprision. Sullivan’s case has caused anxiety in the cybersecurity industry, sparking fears that cybersecurity professionals could face legal penalties for simply doing their jobs. Sullivan had been prosecuted by the U.S. government for not reporting a 2016 breach at rideshare and delivery company Uber which had threatened to expose the data of 600,000 drivers and the personal information associated with 57 million riders.
Sullivan had been drawn to the role of the CSO to help prevent cybercrimes. Before working at Uber, he had been an assistant US attorney prosecuting cybercriminals. Prior to Uber, he had worked at eBay and Facebook, where he had built out security and privacy programs.
“The goal as a community should be for security leaders to become more empowered, more resourced, and more championed under the leadership of their companies,” Sullivan said.
Sullivan’s case has galvanized the cybersecurity community, and some of the hundreds of letters of support he received have been forwarded to the sentencing judge. The letters attest to Sullivan’s exemplary record as a cybersecurity champion, and pointed to his community service and outreach.
However, cybersecurity professionals are anxious, confused, and fearful regarding the shifting issue of who is liable for the handling of breaches. There is a lack of clear federal guidelines for breach reporting. The letters of support for Sullivan also underscore the fear and confusion around the issue of liability for CSOs and the fear that they could face legal penalties for doing their jobs.
One of the signatories to the letters of support was Chenxi Wang, an experienced cybersecurity executive and managing partner at Rain Capital, which invests in cybersecurity startups. Wang said that while the case has resulted in cybersecurity professionals looking at better processes and controls for response and reporting, “you don’t want security executives fearing their jobs and responsibilities. That is a bad outcome to have happen.”
Another point of confusion is why Sullivan was held liable and accused of a cover-up when paper trails showed that Sullivan had informed and deferred to Uber’s CEO at the time, Travis Kalanick, and Uber attorney Craig Clark, who led Uber’s legal response to the 2016 incident. It is unclear why Kalanick was not held liable.
The judge acknowledged Sullivan’s efforts in containing the breach and retrieving the stolen records by tricking the two hackers to sign a non-disclosure agreement and using that to track their IP addresses, providing evidence that was later used to convict the hackers of conspiracy to commit extortion.
The judge also said that because of the failure to report the breach in 2016, the arrests of the hackers were delayed until 2017 when the breach was reported by Uber’s new leadership.
It remains unclear whether Sullivan was right or wrong in the decisions he made in handling the breach. Sullivan’s background as a former assistant U.S. attorney and the vilification of Uber at the time for past scandals add further complexity to the case.
The case highlights the ongoing confusion and uncertainty around liability for cybersecurity professionals and the need for clear federal guidelines for breach reporting. It is essential that cybersecurity professionals do not become more concerned about managing their own risks of legal liability than managing risk for their organizations. The cybersecurity community must continue to work towards empowering security professionals to better protect their organizations, while at the same time adhering to the law.