Uber’s former chief of security, Joe Sullivan, was convicted in October of obstructing a federal government investigation and concealing a felony from the Federal Trade Commission. The trial got plenty of attention, particularly from those working as chief information security officers. Not only was this about Uber, one of the world’s highest-profile companies, but it was also the first time an executive had faced criminal prosecution over a data breach.
To be held responsible for the cybersecurity policy of an entire company is a heavy burden. But with cybercrime damages reaching nearly $7 billion in the U.S. in 2021, according to the Federal Bureau of Investigation, regulators will be increasingly focused on prosecuting executives who do not comply with U.S. federal cybersecurity regulations.
For many CISOs, Sullivan’s conviction set a frightening precedent. With password security service LastPass trying to contain the fallout from a data breach that exposed a trove of high-value customer data, the long-term effects of Sullivan’s conviction may start to become apparent. Whether or not the LastPass hack produces any criminal charges, Sullivan’s conviction nevertheless represents a shift in how the federal government intends to defend citizens’ privacy against bad actors online.