The trial of Joe Sullivan, Uber’s former head of security, for not properly disclosing a data breach will begin this week. It is believed to be the first time an executive will face criminal charges in relation to a network intrusion resulting in stolen personal information.
While the usual result of a data breach is more available fuel for account takeover attacks, this week’s trial in U.S. district court in San Francisco shows what the penalties could be personally for an individual charged with protecting customer or employee information.
The San Francisco Examiner called Sullivan, a former federal prosecutor who in the late 1990s was one of the first to bring cybercrime cases, a “rock star” in the security world. In 2017, more than a year after the hack, Uber disclosed the breach that exposed as many as 57 million customer and employee records and fired Sullivan. How the case turns out could have a significant impact on Chief Information Security Officers (CISO) charged with protecting customer and employee data.
“Perfect security is impossible, and now CISOs are wondering what happens if — or rather when — they fail,” according to the Examiner. “If Sullivan is convicted, they worry the outcome could set a precedent for who is at fault for a data breach.”