The May conviction of former Uber CISO Joe Sullivan no doubt set off some concern and anxiety among security leaders facing breach investigations from regulators and/or law enforcement. While Sullivan’s case was indeed unique in that he was found guilty of obstruction of justice and misprision of a felony for his role in covering up a breach at Uber, nonetheless, attorneys have been fielding calls from CISOs and other leaders about their exposure and what they can do to minimize personal liability in the event of an incident.
In this episode of the Nexus podcast, Stephen Reynolds, a partner at the law firm of McDermott, Will, and Emery, discusses the personal, criminal liability that can attach to individuals and executives during investigations, and offers some practical advice for CISOs. The short of it: Don’t panic, but don’t be unprepared either. In this case, preparation equates to having personal legal counsel available, and document everything during an incident.
“Obviously you have to take an interest in what protects the company, but also think about protecting yourself as an individual,” Reynolds said. “So that could include talking to actual legal counsel for yourself.”
Reynolds, who along with Eli Lilly associate VP and assistant general counsel Nick Merker presented on this topic at Black Hat, cautions that CISOs always remember that corporate counsel represent the company, and any attorney-client privilege is to the company and not the individual.
“Their outside counsel are there to protect the company, and not necessarily individuals—and sometimes those two things don't line up,” Reynolds cautioned. “So one thing that I think CISOs and executives and people in information security should realize is that they may have some personal liability here. And they should probably talk to personal counsel like an attorney who actually does have an attorney-client relationship with just them, and can represent them and give them advice if they're dealing with the situation.”
Reynolds says he’s fielding more questions about whether Directors and Officers liability insurance, or even cyber liability insurance, offers any protection. As industries such as healthcare and others in critical infrastructure face increasing pressure from threat actors using ransomware and extortion-based attacks, Reynolds says he’s also getting inquiries about the legalities around making those types of payments and exposure in those situations.
Listen to this Nexus podcast with David Elfering on Cyber Liability Insurance
One key piece of advice, Reynolds said, is to document the facts and information available at the time key decisions were made during an incident. Facts change quickly in investigations, he said, and sometimes decisions are made without a clear picture of the entire situation. It’s crucial to have documentation that supports any decisions that are made—especially since court dates may come years after the start of an incident.
“This is what we knew or what we thought at the time so it becomes really important to keep that information somewhere even beyond the personal liability question just so you can explain and have a story to regulators of ‘We did this because this is what we thought at the time we made that decision.’” Reynolds said. “I think generally people are trying to make the right decision. But they're making the decision based on, oftentimes, inaccurate or incomplete information so they need to document what it was you knew or didn't know at the time when you made those decisions.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.