The landscape of cybersecurity governance continues to shift as two major cases bring significant attention to the role of Chief Information Security Officers (CISOs) in handling breach incidents and their consequences. The cases of USA v. Sullivan and SEC v. SolarWinds shed light on the responsibilities, legal ramifications, and ethical expectations surrounding CISOs and corporate breach responses.
https://www.securitycareers.help/9-notable-ciso-legal-cases
https://www.compliancehub.wiki/cco-and-dpo-legal-case-and-corporate-fines
In a landmark case, Joseph Sullivan, Uber’s former Chief Information Security Officer, became the subject of legal scrutiny over his alleged mishandling of a 2016 breach that compromised sensitive data for 57 million Uber users and drivers. Sullivan was convicted in 2022 on charges related to covering up the data breach and obstructing the Federal Trade Commission (FTC) investigation into Uber’s earlier 2014 breach.
Sullivan’s appeal, discussed in the 9th Circuit oral arguments, challenges the interpretation of his actions. The Appellate Counsel raised arguments regarding the distinction between his obligations to disclose versus covering up the incident, likening the situation to the nuances between bug bounty payments and hush money, which the court appeared largely unsympathetic to.
Key Allegations Against Sullivan:
The crux of the government’s case rested on several key actions taken by Sullivan:
- Falsified Documents: Sullivan allegedly falsified records that were presented to Uber’s legal team and the FTC.
- Hush Money: Uber paid the hackers $100,000, disguised as a bug bounty payment, with an agreement that they would not publicly disclose the breach.
- Affirmative Misstatements to the FTC: These included false representations about the steps Uber had taken to remedy the 2014 breach, which had resulted in ongoing regulatory oversight.
Over the course of ten months, Sullivan allegedly orchestrated a scheme to silo information, preventing key company personnel, including the General Counsel, from knowing the true extent of the breach. In doing so, he is accused of creating a culture of secrecy that ultimately led to misleading the FTC.
Implications for CISOs:
The Sullivan case sets a significant precedent. It underscores that CISOs are not only responsible for implementing technical responses to breaches but are also accountable for transparency and cooperation with regulatory bodies. By withholding information from Uberโs legal team and the FTC, Sullivan is accused of breaching his duty as an officer of the company.
The potential ramifications extend far beyond Sullivan himself, signaling to CISOs across industries that they may face personal criminal liability for decisions that result in the suppression of breach disclosures or misleading regulators.
SEC v. SolarWinds
The second critical case is SEC v. SolarWinds, which revolves around the infamous SolarWinds cyberattack of 2020. Hackers, believed to be backed by a nation-state (allegedly Russia), compromised SolarWinds’ Orion software, which was used by thousands of companies and government agencies, including U.S. federal institutions. The attack had far-reaching consequences, impacting global supply chains and exposing sensitive data.
Settlement Discussions:
The SEC filed charges against SolarWinds, alleging that the company failed to implement adequate cybersecurity practices, misrepresented its security posture, and failed to disclose risks appropriately to its investors. According to the court order displayed in the image, a second settlement conference has been scheduled for December 4, 2024.
This settlement conference follows previous discussions to address the SECโs claims that SolarWinds violated federal securities laws by failing to properly safeguard its systems, which in turn harmed shareholders and exposed the company to massive financial losses.
In cases like these, the SEC seeks to hold companies accountable not only for their cybersecurity failures but also for their obligations to disclose potential risks to investors. SolarWinds has faced a reputational hit and significant scrutiny for its handling of the incident, and the company may face substantial fines or remediation orders based on the outcome of these proceedings.
Potential Consequences for Companies:
This case emphasizes the importance of cybersecurity due diligence for publicly traded companies. The SEC’s actions make it clear that cybersecurity is not just an IT issue but also a key factor in a company’s financial health and investor confidence.
Failing to implement robust cybersecurity measures or to disclose cyber risks can lead to significant penalties, as well as long-term reputational and financial damage. The SolarWinds case is expected to influence future regulatory requirements for cybersecurity disclosures and internal controls.
Key Lessons for CISOs and Cybersecurity Leaders
- Transparency is Non-Negotiable: The Sullivan case is a powerful reminder that CISOs must ensure transparent communication with both legal and regulatory bodies during a breach. Attempting to suppress information or failing to disclose critical details can lead to severe legal consequences.
- Legal and Ethical Responsibilities: CISOs are increasingly being viewed as corporate officers responsible not only for technical security but also for ethical and legal compliance. The actions taken by Sullivan serve as a cautionary tale for other security leaders.
- Regulatory Accountability: In the case of SolarWinds, companies that fail to properly secure their systems and disclose risks to shareholders face not only regulatory scrutiny but also lawsuits. CISOs must ensure that cybersecurity risk is adequately communicated at the highest levels of the company.
- Crisis Management and Preparedness: The response to a breach must be swift, organized, and transparent. Both cases highlight the need for companies to have well-established breach protocols and clear communication strategies to handle incidents.
Conclusion: Shaping the Future of Cybersecurity Governance
The outcomes of USA v. Sullivan and SEC v. SolarWinds are likely to reverberate across the industry. These cases show the growing intersection of cybersecurity, legal responsibility, and corporate governance. They also signal a warning to CISOs and other cybersecurity professionals to be vigilant not only in securing their organizations but also in ensuring transparency and regulatory compliance.
As both cases unfold, they will shape the standards for how organizations handle breaches and influence the broader regulatory landscape. In a world where breaches are inevitable, how they are handled will define both the professional futures of those responsible and the financial stability of the organizations they serve.
For more detailed updates on these cases, you can follow discussions and legal updates through resources such as the 9th Circuit Court, the SEC filings, or cybersecurity law blogs that are monitoring these developments closely.
There have been several notable CISO cases after 2020, highlighting the increased scrutiny on CISOs and their roles in breach responses, regulatory compliance, and corporate transparency. Here are some of the key cases:
https://www.securitycareers.help/9-notable-ciso-legal-cases
1. T-Mobile Data Breach (2021)
- CISO Involvement: The 2021 T-Mobile breach exposed personal data, including Social Security numbers and driver’s license information, of over 40 million customers. The company’s CISO and security team came under fire for failing to adequately secure sensitive data, even after multiple prior breaches.
- Key Issue: Hackers exploited vulnerabilities in T-Mobile’s systems, exposing sensitive customer information. This breach marked at least the fifth such incident in four years for the company.
- Consequences: T-Mobile agreed to a $350 million settlement in a class-action lawsuit in 2022 and committed to spending $150 million on cybersecurity improvements. The incident raised questions about the CISO’s responsibility for ongoing cybersecurity failures and the company’s ability to secure customer data following repeated breaches.
2. SolarWinds Supply Chain Attack (2020โ2021)
- CISO Involvement: SolarWinds’ CISO and cybersecurity leadership were heavily scrutinized after a nation-state cyberattack compromised the companyโs Orion platform. This attack impacted thousands of customers, including U.S. government agencies and corporations worldwide.
- Key Issue: Hackers inserted malicious code into SolarWinds’ Orion software updates, which were then distributed to thousands of customers. The attack highlighted serious weaknesses in SolarWindsโ supply chain security and incident response protocols.
- Consequences: The attack led to widespread fallout, including SEC investigations and lawsuits. SolarWinds faces significant regulatory scrutiny for its failure to secure the software supply chain and for potential misrepresentation of its security posture. As noted in ongoing legal actions, the SEC has held SolarWinds accountable, with settlement conferences continuing into 2024, and further regulatory and legal consequences expected.
3. Twitter Data Breach (2020)
- CISO Involvement: Peiter Zatko, also known as “Mudge,” was hired as Twitterโs CISO after the company’s 2020 hack. While Zatko was not directly involved in this breach, his whistleblower disclosures in 2022 brought significant attention to Twitterโs cybersecurity practices post-breach.
- Key Issue: In the 2020 breach, hackers gained control over prominent accounts (including Barack Obama, Elon Musk, and Bill Gates) to promote a cryptocurrency scam. Later, Zatko revealed in his whistleblower complaints that Twitter had serious security vulnerabilities, including weak access controls and insufficient defenses against insider threats.
- Consequences: Zatko’s revelations added legal and regulatory pressure on Twitter. The company faced multiple investigations, including by the FTC, and lawsuits from shareholders. The whistleblower disclosures led to intense scrutiny over how Twitterโs security team, including Zatko as CISO, handled security vulnerabilities after the 2020 breach.
4. Flagstar Bank Data Breach (2021)
- CISO Involvement: Following a 2021 ransomware attack, Flagstar Bank’s CISO and cybersecurity team were under investigation for their handling of the breach, which exposed the personal information of over 1.5 million customers.
- Key Issue: Flagstar failed to adequately secure customer data, allowing a ransomware group to access sensitive personal and financial information, including Social Security numbers. The breach also highlighted the importance of robust data encryption practices, as the attackers exploited vulnerabilities in the bank’s systems.
- Consequences: In June 2022, Flagstar reached a $5.9 million settlement to resolve claims related to the breach. The CISO and security team faced internal scrutiny for their role in managing third-party vendors and ensuring encryption practices. The incident reinforced the CISO’s role in vendor management and data protection.
5. Neiman Marcus Data Breach (2021)
- CISO Involvement: The luxury retailer Neiman Marcus disclosed a breach in 2021 that impacted the personal information of 3.1 million customers. The CISOโs role came under examination regarding how the company managed legacy systems and cybersecurity hygiene.
- Key Issue: The breach, which reportedly occurred in May 2020 but was only disclosed in 2021, highlighted potential weaknesses in Neiman Marcus’s data protection protocols and incident response mechanisms. The delay in reporting the breach also raised regulatory concerns.
- Consequences: Neiman Marcus faced a lawsuit and regulatory inquiries, particularly from states with stringent breach notification laws. The breachโs delayed disclosure put the company’s security leadership, including the CISO, under scrutiny for handling incident response and breach reporting protocols.
6. Experian Data Breach (2020)
- CISO Involvement: Experian’s South African branch faced significant backlash following a data breach in 2020 that exposed the personal data of 24 million customers and 793,749 businesses. The companyโs CISO and global security team were scrutinized for the breach response.
- Key Issue: The breach was a result of a social engineering attack, where a fraudster gained access to Experian’s data. Questions were raised about how Experian’s internal security controls allowed such a massive data set to be accessed so easily.
- Consequences: While no fines were levied directly against the CISO, Experian faced class-action lawsuits and reputational damage. The case highlighted the responsibility of the CISO to protect against social engineering attacks and implement more robust data access controls.
7. Accellion Data Breach (2020โ2021)
- CISO Involvement: Accellion, a file-sharing service, experienced a significant breach in late 2020 and early 2021 that affected several large organizations, including healthcare providers, universities, and corporations. The breach involved vulnerabilities in its legacy File Transfer Appliance (FTA) software.
- Key Issue: Despite warnings about security vulnerabilities in the legacy system, Accellion failed to properly secure or decommission its FTA product. The breach exposed sensitive data and led to widespread data theft.
- Consequences: Accellion faced class-action lawsuits and regulatory scrutiny for its handling of the breach. The companyโs CISO and security leadership were criticized for continuing to support outdated software with known vulnerabilities. The breach became a cautionary tale about maintaining legacy systems in an evolving threat landscape.
Emerging Themes in Post-2020 CISO Cases:
- Increased Scrutiny on Breach Response and Disclosure: Many post-2020 cases, like those involving T-Mobile, SolarWinds, and Neiman Marcus, have focused on how quickly and transparently companies disclose breaches. CISOs are expected to lead these efforts, and delays or miscommunications can lead to severe regulatory penalties.
- Vendor Management and Third-Party Risk: Breaches such as those at SolarWinds and Accellion have underscored the importance of managing third-party vendors. CISOs are now more involved in ensuring that vendors follow strict cybersecurity protocols, as third-party breaches can have devastating consequences.
- Nation-State and Supply Chain Attacks: The SolarWinds breach exemplifies the growing risk of nation-state attacks and the need for stronger supply chain security practices. CISOs are now expected to account for sophisticated, state-sponsored threats in their security strategies.
These cases post-2020 reflect a trend of growing accountability for CISOs, as regulatory bodies, shareholders, and customers demand greater transparency and higher standards of cybersecurity across organizations.