Don’t Stand So Close To Me…When One Executive Goes Bad
Case Study: The cyber breach that ushered in a new era of executive liability, and more importantly, what it means to you.
A shiver went through the collective spines of Chief Information Security Officers (CISOs) around the country last week when Joe Sullivan, former CISO for Uber, was found guilty for his actions related to breaches at the company in 2014 and 2016. It is believed that this is the first time a CISO, or an executive for that matter, has ever been held personally liable for any aspect of a company breach.
“Technology companies…collect and store vast amounts of data from users, We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers…We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.” (United States Attorney Stephanie M. Hinds, October 5, 2022.)
Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge, though a date for sentencing has not been set. Sullivan may appeal if post-trial motions fail to set the verdict aside.
The basic facts of the Uber breaches:
According to public records, the following is a summary of the key facts:
In 2014, Uber had a serious data breach affecting the user data of 50,000 consumers, including names and driver’s license numbers. Uber timely reported this breach to the Federal Trade Commission (FTC) as required under the law.
In 2015, the FTC initiated an investigation. Shortly after the investigation began, “rock star CISO” Sullivan was hired as Uber’s CISO.
The FTC served a Civil Investigative Demand on Uber, which required Uber to disclose information about all other instances of unauthorized access to user personal information, and information regarding Uber’s broader data security program and practices. Sullivan complied with the request and follow ups (which took approximately a year), and he even testified about Uber’s strong security practices at a hearing on the matter.
Still, nothing of concern, right?
Just a few days after his testimony in 2016, Uber was hacked again. This time, ransomware hackers stole approximately 57 million Uber users and 600,000 driver’s license numbers.
And this is where the wheels fell off the car:
Rather than report the new information to the FTC or even notify impacted consumers of the breach of their data, Sullivan commanded some members of his team to hide the information from nearly everyone.
Sullivan then paid the ransomware hackers to sign nondisclosure agreements (NDAs) prohibiting them from telling anyone about the breach. The NDAs also included representations that the perpetrators did not take or store any of the data obtained in the hack. All of this in exchange for $100,000 in bitcoin since he did not initially know the names of the perpetrators…until later, when a “replacement” NDA was created that contained the actual names of the hackers.
Sullivan never mentioned the 2016 breach to Uber’s lawyers or the other members of the Uber team working on the FTC situation, and Uber reached a preliminary settlement with the FTC for the first breach without disclosing critical information about the second breach.
Sullivan claimed that his actions were driven solely by his desire to protect user data in any way he could. Khosrowshahi, not buying the approach taken by prior leadership, asked for a lengthy investigation into the matter, and eventually fired Sullivan. In addition to ushering in a new era of transparency, Uber admitted the breach, paid $148 million in civil litigation costs related to the breach, and settled its case with the Federal prosecutors this past July, promising “full cooperation” in the criminal case against Sullivan. But the damage was already done.
Who is really at fault here: the CISO or the hackers?
And before you say, “the issue is with the criminals/hackers and not the CISO,” note the hackers were prosecuted and pleaded guilty back in 2019. They still await sentencing. And, you cannot ignore the downstream implications. Not only did the coverup executed by Sullivan hinder the Uber investigation, pleadings indicate that after Sullivan assisted in covering up the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity—Lynda.com—and sought to ransom Lynda.com’s data as well.
What was the crime: the breach or the handling of the breach?
Having a breach is a “way of life” for most companies today. At Uber, Sullivan was not convicted of being an ineffective CISO. He was convicted for interfering with the FTC’s investigation into the breach and concealing a felony.
Thus, a critical part of assessing talent and selecting a CISO includes that the individual understands how to appropriately communicate and respond to any breach situation, and has the managerial confidence to do so.
What is the Board’s responsibility?
Boards are typically protected from personal liability as long as they honor their fiduciary duties. Fiduciary duties for both directors and officers of a company include, but are not limited to, the Duty of Care, and the Duty of Loyalty. These romantically named duties simply generally mean that the director needs to perform their role as a director in a manner they believe is in the best interests of the company and with the care of a reasonably prudent person in a similar situation would use under similar circumstances. Further, they cannot use their position to put their own interests ahead of the company’s interests, including competing with the company or taking steps that could injure the company. Said another less lawyer-y way, board members and executives will not be held personally liable for incorrect decisions or any actions made in good faith with the organization’s best interests at heart.
In Uber, should the board have done more? Known more? If many of the executives were in the dark, it’s likely the Board was too. The challenge of any board is to balance the desire to have a collegial board environment with the need to challenge the information provided and probe for additional information among the larger leadership team (including those outside the C-suite).
Infested: the liabilities your peers in the C-Suite can create for you….or, go to bed with dogs, wake up with fleas.
Typically, the business judgment rule protects executives and directors from the results of bad decisions as long as those decisions have been made in good faith. Just like directors, executives have fiduciary duties to perform their jobs in the organization’s best interests and with the typical skills and judgment of a person with their type of responsibilities. However, there are exceptions where personal liability extends to directors and officers. When these circumstances are present, a court can disregard any liability protections offered by the corporation, which is called “piercing the corporate veil.”
With Uber, the investigation into Sullivan’s action made it clear that he withheld information from the company’s lawyers and general counsel, as well as FTC investigators, when the second (2016) breach occurred. However, the prosecutors presented evidence that Sullivan shared details of the hack and payment with then-Uber CEO Travis Kalanick, as well as the company’s chief privacy lawyer. They also claimed Sullivan did not reveal the true scope of the incident to its new CEO, Dara Khosrowshahi. Since it appears that the matter ends with Sullivan, at least for now, we may never know if indemnities or insurance will apply, or if personal liability would have extended to others “in the know.”
In normal circumstances, as long as executives can show that they had no knowledge of the crime, the company should and likely will indemnify those executives and insurance coverage should apply to insulate their personal assets from judgments and legal fees. In addition, it is unlikely that they will be held personally responsible as they had no knowledge, and did not participate in, enable, or otherwise encourage the bad actor. So what would that mean for Kalanick and the others who allegedly knew? Did the Feds not have enough evidence to prove Kalanick or the Chief Privacy Offer had knowledge of the cover up and subsequent interference with the investigation? Were they hoping to get more leverage through this investigation that never ultimately panned out? Or was this just a matter of making an example out of Uber for its various misdeeds in whatever way they could assemble an iron clad case?
Earmuffs!
Why is the knowledge standard so important? It ensures that personal liability only extends to parties directly aware of the crime, and establishes a foundation for insurance coverage.
In fact, many directors and officers (D&O) insurance policies contain severability provisions that limit applicability of the knowledge of one officer or director to the others, or to the company. This ensures that if an executive or director truly did not know of the bad acts of another, they are not barred from coverage themselves. But does the shield of “not knowing” create a chill on organizations’ zeal for protecting shareholder interests and investigating matters of concern?
It is unclear why the team under Sullivan did not take the high road and disclose what they knew to other members of the Uber executive team. Maybe they thought it would not do any good? Maybe they were worried about their jobs and the viability of Uber as an organization? Maybe they did not know what to do or who to report the information to? Maybe it was a fear for their own liability? Maybe they believed Sullivan’s view that it WAS the best way to protect their users’ information? Most likely, it was a combination of factors that created a culture that did not value transparency, and/or did not provide clear guidance on whistleblower protections and policies.
Regardless, as crazy as some of the facts are in this case, the biggest lesson for leaders in every organization is to avoid the false security of “THAT would never happen here.” Assume it could and act accordingly. One of the best rules of thumb in difficult situations is the age-old “front page” test. If you aren’t sure what to do, consider how you would feel if the situation were on the front page of the newspaper (I guess now it would be Buzzfeed or TikTok). This should be the cultural standard for your employees too. Make sure they know that anything they bring forward to avoid reputational damage for the company is encouraged and appreciated, and will be acted on appropriately (even when the action is difficult).
What applies? Directors and Officers (D&O) or Cyber insurance coverage?
Cyber events create an interesting intersection of insurance coverages. For example, cyber coverage typically covers the liabilities covered by a breach, which can include remediation, notice, credit monitoring, credit restoration, public relations and other experts to assist with the situation, and other costs associated with the company’s attempt to protect the individuals compromised in the breach and to repair any damage to the company and the individuals.
Conversely, D&O coverage will typically step in to protect directors and officers against the costs and liabilities associated with investigations and shareholder claims related to failure to maintain adequate data system protection measures, inadequate monitoring, failure of security controls, or any financial misstatements or disclosures related to such. Said another way, D&O coverage typically focuses on the environment that allowed the breach to happen, while cyber covers the actual costs of making everyone affected by the breach whole.
Company indemnities and D&O policies do not cover bad acts.
A lot of executives suffer from the belief that no matter what they do in their professional capacity, the company will indemnify them. This could not be further from the truth. For example, if an executive or manager violates the code of conduct or the law and harasses an employee, the company does not have to defend or indemnify them if the company determines that they violated a company policy. Taken a step further, if a plaintiff sues the company and smartly names the individual in their suit as well, the company does not need to provide indemnification and thus the manager is then personally liable for their legal fees and any verdicts. In addition, D&O coverage (and company indemnification) will not step in if the individual intentionally breaks the law or commits fraud.
Best practices to avoid a nightmare breach scenario:
Today’s installment concludes with an action plan of sorts. There are many elements to ensure your organization is compliant with various regulations and proactive related to security events and the potential for executive liability.
However, a short list of certain key preparation items follow:
Design a breach response plan, and make sure it has been reviewed and approved by the Board, executive team, and legal. These plans should be tested regularly, and include educational elements for all employees related to new hacking tactics. The plan should also include any outside providers (public relations, legal) that may need to be contracted in advance and approved by your cyber insurance carrier.
The important element in any security environment is ensuring that policies and systems are in place to prevent and deter such acts. Develop comprehensive security policies if your organization touches any confidential data, and revisit them frequently. Make sure they comply with applicable laws, as well as industry best practices. Make the policies available to every employee and contractor (especially those using GitHub and other code repositories), and refresh their understanding regularly.
Create a culture of transparency for anything that could impact the organization’s reputation, especially breach situations and response plan testing. Ensure the organization “rewards” and “properly acknowledges” the reporting of any issue related to breaches and situations that could create reputational damage.
Understand the relationship between different teams (such as security, legal, and IT) and ensure that everyone is keenly aware of changing regulatory requirements related to cyber reporting, minimum standards and policies required, etc.
Promote a whistleblower and investigation mindset to encourage employees to report any area of concern. Follow by investigating good faith accusations of misconduct.
Understand insurance coverage and how it works together, including:
Be sure the CISO is an “insured person” under the D&O policy, and meets the reporting obligations required by the coverage and any state or federal statutes.
Verify that there is a clear severability between directors, officers, and the company in the D&O policy, and that the bad acts of one member are not imputed to others that did not have knowledge of the act.
Understand how your business interruption reacts to cyber events, and which policy you look to if you are unable to operate and provide contracted services to customers, etc. Some cyber policies include an errors and omissions (E&O) component as well, but it is not the errors and omissions of the executive team in leading the cyber efforts. This E&O element is for the organization in the event it cannot fulfill its contractual obligations to customers due to the cyber event. And this last point is where a lot of individuals get confused. And often, companies assume their business interruption coverage kicks in if they have to shut down their systems to deal with a compromise. Check your fine print, as this is not always the case and cyber events are sometimes excluded.
For more on insurance, see Don’t Wait Until You Hit An Iceberg, and its supplement on Professional Liability.
To limit the potential for piercing the corporate veil, follow the requirements for operating a corporation (including an LLC). For example, corporations and LLCs cannot commingle assets between officers and the company itself, and must comply with the formalities required of a corporation, including annual fees or annual report filings.
What do you think about the Uber case and the subsequent impact on breach oversight? Leave a comment to share your insights with the community.
This article was created as the result of a reader suggestion. Keep them coming and email your suggestions and comments to prepovercoffee@substack.com!
PrepOverCoffee loves the challenge of trying to simplify complex concepts for the community. If there is a business concept you’d like to understand more fully or at least have a better feel for what questions to ask, please let me know - and try to stump me! I cannot promise every suggestion will be covered, but I will do my best.
And, share with your colleagues today!