About a year ago, the security community was rocked when a former Uber CISO was convicted of federal charges and sentenced to three years’ probation over the way he handled a data breach. There was panic, shock and a concern that any CISO could be next to gain a criminal record while simply doing their job.
In hindsight, a wave of CISOs behind bars has not transpired, in part due to the facts of the case — but it’s true that liability and legality-wrangling is far more common in the CISO role than it used to be. So let’s dig into some different perspectives on what CISO liability is (and isn’t), and your peers’ best strategies for managing their legal obligations.
What started this wave of liability concerns?
Many security professionals name the “Uber CISO” as a defining moment in their appreciation of their liability. In October 2022, Joe Sullivan was convicted for how he handled a data breach at Uber. Rather than disclose the incident, he chose to pay the attackers through Uber’s bug bounty program, making them sign an NDA and asking them to promise not to release the data. If you heard the hype, but never really had time to dig into the story, you can summarise it as follows: getting breached isn’t a crime, but covering up the breach absolutely is.
We’ve seen the CISO of SolarWinds named in a class action lawsuit, alleging violations of the Securities Act. At the same time, government organisations are getting stricter on disclosure of breaches; the U.S. Securities and Exchange Commission announced this year that organisations have four business days to disclose material cybersecurity incidents after determination.
All the while, the CISO role has expanded to include all kinds of legal issues, such as supply chain liability, decisions on ransomware payment, and negotiations on cyber insurance.
It’s a trickle, not a flood, of legal spotlights on CISOs — but it’s close enough to home to be concerning for many.
One year on, what’s the perspective?
In my discussions, security leaders seem to have passed the knee-jerk reaction phase of “panic.”
But many security professionals still face daily legal and compliance issues. This isn’t recent either (can you believe GDPR came into force more than five years ago?) but usually these professionals never got into security because of a love of legislation. This compliance angle has been added onto their roles over time and their responsibilities have grown.
Successful leaders share a common trait, which I call a “positive compliance mindset.” These leaders are leaning into their obligations, treating them as opportunities to be business-relevant, expand their department remit and gain budget by taking them seriously — rather than be an unwanted burden to shoulder.
But having such a mindset isn’t enough.
What are your peers saying about liability?
During an RSA Conference panel this year on CISO Legal Risks and Liabilities, one topic discussed was what to do when, as a CISO, you are asked to estimate the data loss from a breach. That’s a tough ask because if you guess too low, you are at risk of defrauding investors. If you guess too high, you’re unnecessarily harming the company’s reputation.
Like Goldilocks and her porridge, how do you guess the data loss from a breach “just right”? This panel had two pieces of advice:
- Make your best guess based on the evidence, with legal advice, ensuring that the company covers you (insurance, indemnity policy, or otherwise) if you act on the company’s behalf.
- “Or don’t guess!” said Kirsten Davies, Unilever CISO.
That’s just one of many liability issues that CISOs manage in conjunction with the legal department, alongside managing the breach itself, and deciding if or when to call law enforcement.
Alyssa Miller, CISO of Epiq Global, also reminded the audience, “Your corporate lawyers are not your lawyers.” So when navigating legal waters, make sure you have independent advice, and something in writing as an understanding of your liability — whether that’s a contract or other legally binding document.
What else can you do to understand and manage your liability?
1. Invest in closing the distance between your tech and legal departments
In our recent EMEA Leaders roundtable discussion at .conf23, several participants emphasised that the gap in understanding between technology and legal departments results in a lack of challenge.
This lack of challenge was described as unhelpful, unhealthy and dangerous — and not just in terms of liability. When your legal teams can’t ask the “right” questions (or even understand the difference between a good or bad question), organisational agility suffers with long backlogs and endless email chains. This loop builds cultural friction and resentment with each delay, impacts your people, and ultimately leads to worse outcomes for the business.
But how can you invest in facilitating dialogue between tech teams and legal departments? Each approach is different, but proactivity from tech teams is key; offering shadowing, hosting non-judgmental Q&As, delivering educational sessions, or even directly sharing dashboards and tooling. This front-foot approach may take upfront time and effort, but it is empowering for all involved, resulting in far better challenge and outcomes, and ultimately saves time compared to an infrequent and reluctant approach.
2. Bring in the right processes
I do know and fully appreciate how dull that sounds. Bear with me; your processes should pay you back in dividends, when you do them right. One of the issues in Joe Sullivan’s case was that, as well as being the CISO, he was also the deputy general counsel — which lent him credibility with the legal team, potentially resulting in less challenge than a strict process would have enforced.
So create regular touchpoints in your processes, from cyber insurance to bug bounties, to allow ample opportunities for challenge — and the earlier the better. Connect with your stakeholders, including finance, legal and marketing, and give them explicit remit to challenge you. Ensure you have good lines of communication with the board, so they can also ask meaningful questions and hold you to account. Being asked to justify your choices and refute other options could lead to different, better outcomes — and, even if no change results, it should give you more confidence in the choices you have made, and your subsequent actions.
3. Ensure you are personally covered
Check your current contract. If you don’t have something in writing that stipulates what your liability is when you’re acting on behalf of the company, get it. Get a contract or other legally binding document. Get personal lawyers that you can call at short notice, should you ever find yourself managing a breach or liability issue.
And some final obvious but important advice: Don’t break the law.
