[ad_1]
Should corporate executives be held criminally responsible after a data breach? He was recently convicted of essentially hiding a hack from federal investigators. In this case, cybersecurity personnel are divided and may be a little intimidated. In this episode of Debugger in 10, Duke Law Professor Shane Stansbury digs into the details.
This case is very unique. Uber had already been investigated by the Federal Trade Commission for previous breaches, so Sullivan’s failure to notify investigators and instead his decision to pay the hackers for their silence were at issue. Still, Stansbury said the incident is a signal to cyber executives that federal officials want more transparency in the event of a hack.
Stansbury also explains why then-CEO Travis Kalanick didn’t face a similar legal crisis. Additional analysis of this incident can be found in this New York Times article written by Casimir Hill and Kellen Browning. Click here to listen or click the play button below. Below is the full transcript.
————————– transcription —————–
Bob: Should corporate executives be held criminally responsible after a data breach? He was recently convicted of essentially hiding a hack from federal investigators. In this case, cybersecurity personnel are divided. For more information, ask Professor Shane Stansbury of the Duke University School of Law. Shane, please give us the details of the incident.
Shane Stansbury: Thank you Bob. The case is interesting because it is the first time he has seen a CSO prosecuted for activities related to a data breach. Well, the incident actually stemmed from, uh, two data breaches. Well, one he happened in 2014 and the other a few years later. Well, Joel Sullivan was, uh, an interesting character in this story. Because he was hailed by many in the security industry as his CSO for Uber.
He came from Facebook, eBay, etc. and was highly respected in the industry. Well, in his 2015 he joined Uber. At the time, Uber was being investigated by the FTC for his 2014 data breach. And, uh, Sullivan was involved in his FTC response. Investigation. Well, he testified under oath in his ftc.
He gave a presentation on Uber’s data security measures. And he was central to that investment. uh, 10 uh, 10 days later, uh, after he testified at his FTC, uh, there was a second data breach, and it was very similar to the other breach in 2014, but , the scale was different.
I think it was 57 million Uber users and about 600,000 drivers. And, uh, their driver’s license numbers were compromised. Uh, uh, the essence of the case. Well, after learning of that her second breach, uh, Sullivan didn’t disclose that information to his FTC. The FTC was still investigating the incident. And, uh, they were trying to put together an investigation and, uh, come up with a settlement.
Given that Sullivan apparently wasn’t working alone, there are some details about the case that have become intriguing and very difficult for the government. However, the nature of the case he conducted hides this information. It was later discovered after Uber had a new management team and a new CEO.
An internal investigation ensued, at which point Uber was revealed to the FTC. The FTC apparently had to hit the pause button on the previous settlement.
Sullivan was eventually indicted and put on trial. And many in the industry were watching very closely what happened.
It wasn’t an easy case for the government, but anyway. I can’t say I’m surprised they were eventually convicted.
Bob: As such, one of the defenses put forward by the Sullivan team was to lure the hackers into a bug bounty program, where the hackers demanded a ransom of $100,000.
And they said And it’s pretty common in the industry. Is there a difference between these two things and how does he explain why the jury found Sullivan’s actions criminal?
Shane Stansbury: Sullivan says he was charged with two counts. One of those counts is related to, um, obstructing an FTC investigation. Well, the other one was, uh, an explanation for what we call the felony misidentification. This is essentially taking aggressive action to cover up a felony that has occurred. And especially in that second count of his, uh, I think it was central. Well, to what Sullivan and others had. Use its bug bounty program to hide the felonies of hackers.
So, like you said, $100,000 was paid out to hackers through that bounty program. Payment of $10,000. Well, essentially Sullivan and some of the others he works with said they said, why not sign this non-disclosure agreement?
we will give you the prize Well, and importantly, that non-disclosure agreement indicated that the hackers did not obtain or store data from. I think it’s a departure from the typical bug bounty programs you’ll find at typical companies.
Bob: So Sullivan was the head of security at the time. He was not the company’s CEO. It was Travis Kalanick. There is much debate as to why he was less responsible. So it seems far-fetched that he wasn’t involved in dealing with criminals. what do you think about that?
Shane Stansbury: Yeah, I, I, uh, uh, Sullivan was indicted, uh, who was indicted and who’s definitely frustrated that the others weren’t I think there are I mean, it’s not uncommon in criminal cases. right. Well, if a bank’s CFO is indicted, and. Sometimes people are often annoyed because other people should have been prosecuted. Well, I think those are, uh, legitimate questions because Sullivan had a conversation with Kalanick during the period we were discussing. He was an in-house lawyer and was central to government litigation. Well, Craig Clark helped draft the non-disclosure agreement. He was granted immunity by the government in exchange for testifying.
It’s always difficult for those of us on the outside to put ourselves in the government’s shoes and know what evidence they have against Kalanick, Clarke, etc. , is just what they could have presented for Sullivan. I know they needed help. They needed Craig Clarke’s testimony. Did they need Sullivan to tip? Well, did they need his testimony against Kalanick? Maybe. And maybe that’s why they didn’t file a lawsuit. I do not understand. So I guess I have to make some kind of case for what it is. I can’t say that I was brought in unfairly or that I was surprised to see a conviction.
But I think it’s perfectly legitimate for people to ask why others haven’t been convicted or charged as well.
Bob: Oh, we know the scourge of ransomware is still plaguing businesses across the country and around the world. We also know there are many situations where you pay for ransomware. Will this incident affect ongoing activity in the ransomware world?
Shane Stansbury: Well, I think it certainly gets, uh, uh, thinking about the steps that companies need to take if they go forward with payments. One of the surprising things about this incident was that nobody seemed to be in the loop, so to speak, when these hackers were being paid. I mean, I think a lot of companies, or a lot of his CSOs in Sullivan’s position, may have made similar decisions about whether they should be paid. But that’s another matter than knowing how to pay. right. Sullivan didn’t let his general counsel know this was happening. Uber does not appear to have had particularly good risk management practices when it got involved with these payments. It is also unclear whether the board has been notified.
Uh, uh, I think it’s going to have, uh, a company for sure. Well, take a step back and think about putting in place a good process for deciding what. The threat threshold must be met when payment is made. That is, what steps need to be taken, who needs to be notified, and how to manage that risk once decided.
Bob: Some call it the first cybersecurity pulp walk. It’s the first time someone has had to stand in front of a jury to have their picture taken and is criminally responsible for something. What is the meaning of this first Purp Walk?
Shane Stansbury: Well, yeah, I think it’s an important case, but it’s also important not to read too much into it. In some respects, this was a unique set of facts. It’s always a bad idea to actively hide information about a security incident from government agencies while the security incident is being actively investigated. And, uh, you know, I think there was an act of cover-up. In some ways it was unique.
I don’t know that all CSOs should follow suit in that sense. Well, with that said, uh, cybersecurity professionals and executives, like everyone else, can be held liable if they are involved in corporate misconduct. increase.
I think that shows that the government is looking at the tech industry as much as it does other industries. Industries where corporate fraud may occur.
And I think it’s also important to understand that this goes against the backdrop of government activity in recent years. So, uh, I think the recent activity by the White House, the FTC, the SEC, the Treasury, etc. Well, governments expect more disclosure about cybersecurity programs and incidents, and as that evolves, I think cybersecurity professionals will also expect more information.
Shane Stansbury: So, uh, are we going to see more cases like this? Hard to understand. But I think it was difficult. Given the circumstances, this was a difficult case for the government to ignore.
Bob: Professor Shane Stansbury of the Duke University School of Law, thank you for attending.
[ad_2]
Source link