How CISOs Can Guard Against Their Own LiabilityIn Wake of Joe Sullivan Verdict, Jonathan Armstrong Offers Legal Advice for CISOs
In October, former Uber CSO Joe Sullivan was convicted on charges of covering up a 2016 data breach that affected tens of millions of Uber account holders. The trial was a watershed moment, likely marking the first time a chief security officer had faced criminal charges over an incident response. Does the Joe Sullivan verdict presage a dangerous new future for the security profession globally? "Possibly," says attorney Jonathan Armstrong. "This trend is going to be difficult to put back in the box."
Armstrong says that when security leaders start a new position, they have some bargaining power to make sure that their contract is robust and contains the protections they need. He advises CISOs to do their due diligence by asking, "Is there a data breach there that hasn't been reported?"
He also recommends that security leaders consider obtaining directors and officers liability insurance. "Make sure that your name is on the policy, and that the organization will support you," he says.
In a video interview with Information Security Media Group, Armstrong discusses:
- What the Joe Sullivan verdict portends for the security profession globally;
- What the case tells us about personal liability under GDPR;
- Practical steps security leaders should take today to guard against their own liability.
Armstrong, an experienced lawyer with Cordery in London, is an expert on data protection and data security law. He advises multinational companies on risk, compliance and technology.