On
While Sullivan avoided prison time, his conviction serves as a loud alarm bell for corporate officers, highlighting that they could face criminal liability in extreme cases for their actions, or lack thereof, when responding to a cybersecurity breach. Cybersecurity professionals and their counsel will be well advised to focus on and heed their legal and ethical obligations to resolve cybersecurity incidents with honesty and as much transparency and candor as possible.
Sullivan Yielded To Hackers' 2016 Ransomware Attack in the Midst of an Ongoing FTC Investigation
Uber hired Sullivan as its CSO in
A mere ten days after providing testimony to the
Sullivan failed to disclose the 2016 data breach to the
In the fall of 2017, Uber's new management, led by new CEO
The charges Sullivan was convicted of focused on his failure to disclose and efforts to conceal the 2016 breach. Upon Sullivan's conviction,
In a case closely followed by the cybersecurity industry,
Best Practices When Responding to Cybersecurity Breaches
Sullivan's conviction raises the stakes for information security professionals, who should continue educating themselves on the latest legal requirements and best practices in responding to a cybersecurity incident. We've written on this subject before here, here, and here — and below are a few key, high-level pointers:.
-
First and foremost, the responsibility to respond to data breaches should not rest solely on the shoulders of cybersecurity professionals. Companies that collect and store PII from their users should proactively implement and update their incident response plan (IRP) — and make sure to follow the plan should an incident arise. Robust IRPs require coordination from various internal and external resources such as professionals from information security, human resources, public relations/communications, finance, and legal in the event of a security incident or ransomware attack.
- Second, having in-house and/or retained legal counsel lead investigations and responses to security incidents can ensure that legal obligations are met, help maintain the privileged nature of certain communications and work product, and assess legal exposure caused by the data breach. Legal counsel play a critical role in responding to data breaches, particularly as government investigations and litigations following such breaches has become increasingly common.
- Third, when appropriate, companies, working with their legal advisers, should timely notify proper law enforcement agencies and necessary third parties (or make a reasoned and supportable decision as to why such notice might not be required). Law enforcement (e.g.,
FBI ,Secret Service , or state bureaus of investigation) can help companies understand their available options with respect to particular threat actors and how to prevent future incidents. Additionally, certain breach notification laws, like the EU's General Data Protection Regulation and some state statutes, require companies to notify the relevant regulator and individuals depending on the type of data at issue as well as whether the data was "acquired" or merely "accessed." Companies also may have contractual or statutory obligations to notify customers, vendors, and other government agencies of a security incident.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms
Arnold & Porter
601 Mass. Ave., NW
DC 20001-3743
Tel: 202942.5000
Fax: 202942.5999
E-mail: anna.shelkin@arnoldporter.com
URL: www.arnoldporter.com
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source