Uber CSO ruling fallout: Individual liability extends to data breach response

Compliance officers have many concerns. They fret about whether their firm’s internal controls are working properly to prevent fraud and other misconduct. They wonder whether their fellow employees, despite regular training and reminders, understand those controls and apply them properly. And they hope they will have the genuine and unqualified support of their firm’s senior management should things go sideways.

The Securities and Exchange Commission (SEC) has largely refused to engage with the compliance community regarding chief compliance officer liability, leaving CCOs more concerned than ever the agency will target them in enforcement actions. Both the New York City Bar Association and the National Society of Compliance Professionals have released CCO liability frameworks for the SEC to consider, but so far to no avail.

The Department of Justice (DOJ), meanwhile, has implemented a new policy requiring CCOs at penalized companies to certify their programs are reasonably designed at the end of any corporate resolution. DOJ officials, including Criminal Division head Kenneth Polite, a former CCO himself, have said the new policy is meant to empower compliance officers, but practitioners remain unconvinced.

Recently, a new individual liability concern has reared its ugly head in terms of causing compliance officers sleepless nights: data breaches.

The case of the Uber chief security officer found guilty by a jury earlier this month on two felonies for covering up a massive data breach and misleading federal regulators opens up another potential individual liability issue executives handling cyber incidents face, according to legal experts.

“This case was groundbreaking—it’s a new front in terms of potential personal liability,” said Edward McAndrew, a partner at law firm Baker Hostetler and a former DOJ cybercrime prosecutor and national security cyber specialist. “I’m hearing a lot of concern from security professionals about their potential exposure. The idea of potentially being thrown under the bus or scapegoated has many of them wondering whether it’s worth it.”

In a recent speech, Deputy Attorney General Lisa Monaco said the DOJ’s renewed focus on corporate crime will make individual accountability its No. 1 priority. It makes sense this policy shift will mean more corporate executives are likely to be held accountable if their firm is accused of wrongdoing.

“I’m hearing a lot of concern from security professionals about their potential exposure. The idea of potentially being thrown under the bus or scapegoated has many of them wondering whether it’s worth it.”

Edward McAndrew, Partner, Baker Hostetler

Anytime an executive makes certifications to the government on behalf of a firm, whether regarding financial conditions or describing a data breach, those disclosures can be used against that individual, said Renato Mariotti, partner at law firm Bryan Cave Leighton Paisner and a former federal prosecutor in the securities and commodities fraud section of the U.S. Attorney’s Office. Lack of fulsome, complete responses to the government can be the source of serious liability, he said.

“Playing games with the government is done at your peril,” he said.

In the Uber case, the DOJ alleged Joseph Sullivan, hired as the company’s security chief in 2015 after it suffered a data breach investigated by the Federal Trade Commission, attempted to buy the silence of two hackers with a payout and nondisclosure agreement. Cutting separate, opaque deals with criminals brings liability on whoever is signing off on the deal for the firm, Mariotti said. Law enforcement, judges, and eventually a jury are likely to look unfavorably on such agreements, he said.

Perhaps the Sullivan case turning a hacker into a witness is an outlier. Or the marker of a trend. Remember: The pertinent facts of the case took place in 2015 and 2016, a lifetime ago in cybersecurity.

“That a hacker could be called against you as a witness by the government should be very concerning,” McAndrew said.

Another concerning aspect of the Sullivan case was that he faced charges alone, McAndrew said.

“The idea that a chief security officer is making a decision on a legal disclosure by himself seems fallacious,” he said. “The CEO was fully aware and approved the activity.”

Sullivan, himself a former federal cybercrime prosecutor, should have known more than most where his activities might have crossed the line, McAndrew said.

Mariotti, however, said he wasn’t surprised Sullivan stood alone to face the charges.

“The Justice Department prefers charging individuals rather than companies. There is a greater deterrence factor,” he said. “Individuals, including [chief information security officers], need to make sure they are fulfilling all their compliance obligations.”

Tips for managing liability risks

If your firm suffers a data breach and you are involved in the response and disclosure to regulatory agencies, what can you do to protect yourself from potential liability?

First, report the breach in a timely manner.

Ensure the incident response team is properly structured. The roles and responsibilities of each team member should be clearly defined and understood by all, McAndrew said.

If one division knows about some of what happened and another division knows another piece, all that information must be collected and assessed. Regulators are not going to look kindly on a firm that withheld pertinent information, even if it was due to internal miscommunication, Mariotti said.

“Whenever communicating with government regulators or enforcement, you are in a danger zone,” Mariotti said. “Great care and thought should go into every statement made to the government.”

Internal decision-making made during the incident response process needs to be documented, particularly regarding disagreements over what to disclose.

Establishing a timeline that includes contemporaneous statements is generally viewed as more credible in a courtroom, McAndrew said.

“You’re going to need that documentation to prove what was going through your head and what the organization’s response was,” he said.