The former Chief Security Officer (CSO) of Uber has been charged in relation to an alleged cover-up of a data breach in 2016. The ex-CSO allegedly took deliberate steps to mislead the Federal Trade Commission, relating to a cyber incident that exposed 57m customers and 600,000 Uber drivers' details. The attackers contacted the CSO claiming to have found 'a major vulnerability' and asking for $100,000 to reveal further details.
As a cyber-security team within a law firm, we have access to a broad range of technical and legal advice from our colleagues. We have worked with our colleagues across the firm to understand the potential issues for senior cyber security staff and businesses in the UK (specifically England and Wales) when dealing with similar issues and examined the scenario if it had happened in the UK:
A company is contacted by an individual, who claims to be a researcher simply pointing out security flaws. The researcher has accessed the company’s systems and has copies of both company and personal data. This is confirmed by an internal investigation that shows that data may have been accessed.
The company’s Chief Information Security Officer (CISO) manages the investigation and authorises a payment to the researcher. The company pays the researcher to delete the data and to sign undertakings that they have done so. The CISO reports the issue to the board but omits key details. The researcher signs the undertakings, including a statement that they did not take any of the companies' data.
We examined this scenario from several angles, considering how a CISO operates within the business and their knowledge, what data protection law states about these breaches and what insurance cover would extend to the CISO.
Data Protection law in the UK is clear, and this would likely have been a notifiable data breach.
There can be a pressure to not report issues upwards for a CISO, and a lack of clarity of the regulatory and legal issues of specific decisions may mean issues don't sometimes get the attention they deserve. The CISO is not a role that has been commonly associated with personal liability, but in principle the role may be provided cover as an officer of the company.
There was a better way to tackle this – the use of legal orders to identify the perpetrator and to prevent them from using the data would have provided a mechanism to reduce potential harm.
A CISO‘s perspective
It is well known that the role of a CISO is a stressful one; CISOs face significant pressures daily. It can be difficult to explain to senior leadership that security involves both the prevention of incidents and the rapid detection and remediation of those incidents that occur. In such businesses, CISOs may be aware that a single breach could mean their job.
This direct pressure can lead to questions around what CISOs do and do not report upwards. A CISO fearing the loss of their job may be tempted to minimise issues which arise, or find 'creative' workarounds to incidents such as disguising the payment in a bug bounty program to route funds and obscure an incident's impact, as seen with Uber.
Incident reporting to the board can be further complicated by a lack of clarity over the legal and regulatory impacts of a security incident. The CISO perspective on a given incident may not always match that of the regulators who govern whether incidents are notifiable, leading to cases of a CISO simply not raising what they judge to be an insignificant issue.
Clearly, neither the potential for significant impacts nor a lack of understanding of legal and regulatory concerns can justify the hiding of incidents from senior leadership, but the good news is that CISOs have it in their power to address both of these issues.
Firstly, CISOs need to build strong senior leadership relationships. These leaders will need help to understand how incidents might arise despite good tools and practices being in place, and how measures have been devised to minimise impacts and manage business risks. The message that not every incident is a catastrophe, and that careful work can minimise impacts is key.
CISOs should cultivate a productive working relationship with their business' GC. The GC is a key contact for the determination of a business' responsibilities after a breach, and CISOs should rely on their guidance, both to gauge the need for internal reporting, and to assess the need for legally mandated reporting to regulators, law enforcement, and clients.
The prosecution being launched in the USA illustrates the even more significant consequences that a CISO can face if a breach is hidden. Avoiding these consequences requires transparency between security leaders and other members of the senior leadership team. This transparency and its impacts can be made more productive through ongoing communications and the development of strong working relationships, but even when relationships are strained, transparency is needed to protect both the business and the CISO from what could be significant consequences.
A UK data protection perspective
The main issue here for a CISO to consider is the General Data Protection Regulation (GDPR). If this had happened in the UK, given the data disclosed, it would likely have been considered a "personal data breach" under GDPR so there would have been an obligation under Article 33 to notify the supervisory authority (which in the UK is the Information Commissioner's Office (ICO)).
This is because the personal data breach would be deemed likely to result in a risk to the rights and freedoms of individuals. It is unlikely and indeed unadvisable for a CISO in this position to not inform their senior management, although there is no express obligation under GDPR.
If a ransom was paid and no notification to the ICO was made, in circumstances where it should have been, this would potentially have been a serious matter. GDPR provides for a fine of up to €10m or 2% of global annual turnover for serious infringements of the Article 33 obligation. These potential sanctions are solely for the failure to notify, and are separate to the potential sanctions which might arise as a result of an investigation of the underlying personal data breach.
If the ICO wanted more information about the incident, section 142 of the Data Protection Act 2018 empowers the ICO to serve "information notices" requiring a controller or processor to disclose information. However, there is an exemption from the requirement to disclose information if it is legal advice on compliance with data protection legislation, or if it subject to litigation privilege, or if it would incriminate the person providing it.
A fraud lawyer’s perspective
When faced with a case of blackmail, the subject of the unlawful demand is confronted with a number of difficult decisions to make. The first is whether to pay the demand, which while doing so does not entail any immediate criminal liability on the part of the payer, it does not come without risks, both in relation to the fact that there are no guarantees that the payment will achieve the hoped-for purpose, and also in relation to the exposure of becoming a repeat target.
The second decision relates to the engagement of law enforcement authorities. There is no question that breaches of the type being discussed here can entail acute embarrassment and sensitivity, on the part of the victim, that their systems and controls have been compromised. It may therefore come as a comfort to those victims that the criminal law does feature measures to protect victims and mitigate the ongoing effect of blackmail, as well as working to avoid further incidents in the future. For those measures to be effective, though, there needs to be early and informed discussions with law enforcement agencies.
In addition to making that initial contact, it is inevitable that victims may also wish to take steps further to protect itself and also keep option its wider options further down the line. That might take the form of private criminal prosecution, but it may also take the form of prompt civil action. With that object in mind, there are several possible legal options available to a UK CISO and firm to pursue the attackers.
In a civil context, the primary tool available in England and Wales when wrongdoing has occurred but the wrongdoers are unknown is the Norwich Pharmacal disclosure order. This is an order made against third parties who hold information regarding the wrongdoer or wrongdoing. In this situation, it could potentially be used against any identifiable service that the attackers had used in order to try to identify them – so for example, an application could be made for disclosure from a bank or crypto exchange that the hackers had used, the ISP of any IP addresses associated with them, or any email or hosting companies used by the attackers.
Obviously attackers normally seek to conceal their identity, so you would want to pair this with a proper forensic IT investigation to ensure that you were not simply chasing dead ends. In addition, Norwich Pharmacals are normally only granted against companies that have a presence in the jurisdiction, although there are similar legal tools available in some other jurisdictions.
A decision from 23 Oct 2017 (CMOC v Persons Unknown) made public in 2018, confirmed that it was possible to obtain a freezing order against persons unknown. These orders restrict the movement of assets, such as funds in a bank account. In the event that money had been illicitly taken from the company it would, in principle, be possible to obtain a freezing order against the attackers’ bank accounts (or other assets such as crypto wallets) even if you didn't know their identity. In a case which at the time was the first of its kind, Mishcon de Reya lawyer Rhymal Persad was granted a freezing order against persons unknown as part of an email fraud. This may also hold true in circumstances where the money was "voluntarily" paid over by the Company as part of an extortion.
Once the identity of the attacker is known, the full arsenal of injunctive tools to freeze assets and recover data come into play. As well as freezing orders, search orders and orders to image computers or for the handing over of computers and materials.
An insurance lawyer’s perspective
Many companies maintain Cyber Insurance or Corporate Crime policies to indemnify the company against losses it may faces as a result of similar situations. This example may cause companies and their CIO's to consider what protections may be in place for any personal liability a CISO may face as a result of carrying out that role. Companies commonly maintain some form of Directors & Officers Liability Insurance Policy.
The aim of these policies is to protect the company's directors from personal liabilities they incur as a result of acting as a director, as well as the costs of defending themselves in legal proceedings or regulatory investigations brought against them on that basis. Those policies do not however have to just be limited to directors and are often extended to cover other specific individuals or roles within the company. CISO is not a role which has commonly been associated with attracting personal liability but there is no reason why there would not be in principle coverage for such an "officer" of the company.
It is worth bearing in mind that insurance will not assist an individual that has admitted having been deliberately dishonest or fraudulent or where it has been established through a legal process that they were. It can however still assist in meeting the individuals costs of defending themselves against unproven allegations, charges or investigations (those costs potentially being very substantial).
If a company or their CISO is concerned that the CISO role could potentially lead to accusations or liabilities being alleged against that individual in a personal capacity they should discuss with their insurance broker whether the personal liabilities of their CISO would be covered by their existing insurance policies. If not and it is a concern to them, they could consider whether to amend the scope of the cover they maintain going forward to specifically include the role of CISO.
Blowing the whistle on data breaches
An alternate view is that CISOs have a responsibility beyond that of their employer to the wider public interest. Like any employee a CISO would want to ensure that whistleblowing was a last resort, and that information was disclosed in an appropriate manner.
Whistleblower protections would be engaged if the CISO has direct knowledge of the information around a breach, reasonably believes it to be true and reasonably believes disclosure to be in the public interest. The disclosure would need to be made to the employer or responsible person, or to a set of prescribed persons.
In this case the prescribed person would be the Information Commissioners Office (ICO). ICO reports show this is not uncommon, in 2019/2020 427disclosures were made with action being taken in 68 of them.
Tackling cyber incidents
This article was created in the same way we approach cyber security, as a multi-disciplinary challenge. We worked with input specialists across our business who support clients in a range of cyber security and business risk challenges.