Leadership & Executive Communication , Training & Security Leadership , Video

What the Uber-Joe Sullivan Case Means for CISO Liability

Attorney Lisa Sotto Advises Security Leaders to Seek Adequate Liability Coverage
Lisa Sotto, partner and chair of the global privacy and cybersecurity practice, Hunton Andrews Kurth LLP

Former chief security officer Joe Sullivan avoided jail time for his role in impeding a federal investigation into Uber's security practices, but attorney Lisa Sotto of Hunton Andrews Kurth LLP warned security leaders and executives "to take heed" and ensure they are covered for personal liability.

See Also: How to Strengthen Your Organisation's Last Line of Defense: Your Human Firewall

The Sullivan sentence may have given CISOs a collective sigh of relief, but Sotto pointed out the facts in the case were unique. The charges focused on the cover-up, not the handling of the data breach at Uber; therefore, security leaders and executives should be warned.

At a minimum, CISOs should establish a framework within the company for managing incidents and then practice that framework through tabletop exercises, Sotto advised. But they also need to consider "some specific protections" around "exculpation, indemnification and insurance."

"For example, there is the concept of exculpation of officers, meaning that officers would be protected by the company against claims by shareholders for negligence," she said. "In addition to that, we've seen a number of CISOs, for example, asking companies for indemnification, and what is really important is to be able to get your expenses advanced. Mounting a legal defense in this sort of a case is very, very expensive."

In this video interview with Information Security Media Group, Sotto discusses:

  • How the Sullivan verdict will affect breach reporting and personal liability going forward;
  • What security and privacy leaders should do to safeguard their own liability;
  • How the law around personal liability for data breaches is evolving.

Named in the National Law Journal's "100 Most Influential Lawyers," Sotto serves on Hunton & Williams' executive committee. She was voted the world's leading privacy adviser by Computerworld magazine, earned the highest honor from Chambers and Partners as a "Star" performer for privacy and data security, and was recognized as a "leading lawyer" by The Legal 500 U.S. Sotto chairs the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and is the editor and lead author of "Privacy and Data Security Law Deskbook." She has represented the U.S. Chamber of Commerce in Indonesia and has advised the Serbian government on global data protection law. Sotto is co-chair of the International Privacy Law Committee of the New York Bar Association and chair of the New York Privacy Officers' Forum.


About the Author

Anna Delaney

Anna Delaney

Director, ISMG Productions

An experienced broadcast journalist, Delaney conducts interviews with senior cybersecurity leaders around the world. Previously, she was editor-in-chief of the website for The European Information Security Summit, or TEISS. Earlier, she worked at Levant TV and Resonance FM and served as a researcher at the BBC and ITV in their documentary and factual TV departments.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.