What the Uber-Joe Sullivan Case Means for CISO LiabilityAttorney Lisa Sotto Advises Security Leaders to Seek Adequate Liability Coverage
Former chief security officer Joe Sullivan avoided jail time for his role in impeding a federal investigation into Uber's security practices, but attorney Lisa Sotto of Hunton Andrews Kurth LLP warned security leaders and executives "to take heed" and ensure they are covered for personal liability.
The Sullivan sentence may have given CISOs a collective sigh of relief, but Sotto pointed out the facts in the case were unique. The charges focused on the cover-up, not the handling of the data breach at Uber; therefore, security leaders and executives should be warned.
At a minimum, CISOs should establish a framework within the company for managing incidents and then practice that framework through tabletop exercises, Sotto advised. But they also need to consider "some specific protections" around "exculpation, indemnification and insurance."
"For example, there is the concept of exculpation of officers, meaning that officers would be protected by the company against claims by shareholders for negligence," she said. "In addition to that, we've seen a number of CISOs, for example, asking companies for indemnification, and what is really important is to be able to get your expenses advanced. Mounting a legal defense in this sort of a case is very, very expensive."
In this video interview with Information Security Media Group, Sotto discusses:
- How the Sullivan verdict will affect breach reporting and personal liability going forward;
- What security and privacy leaders should do to safeguard their own liability;
- How the law around personal liability for data breaches is evolving.
Named in the National Law Journal's "100 Most Influential Lawyers," Sotto serves on Hunton & Williams' executive committee. She was voted the world's leading privacy adviser by Computerworld magazine, earned the highest honor from Chambers and Partners as a "Star" performer for privacy and data security, and was recognized as a "leading lawyer" by The Legal 500 U.S. Sotto chairs the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and is the editor and lead author of "Privacy and Data Security Law Deskbook." She has represented the U.S. Chamber of Commerce in Indonesia and has advised the Serbian government on global data protection law. Sotto is co-chair of the International Privacy Law Committee of the New York Bar Association and chair of the New York Privacy Officers' Forum.