It has been reported that Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach. The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.
The full story can be found here: https://www.theguardian.com/technology/2022/sep/06/uber-joe-sullivan-trial-security-data-breach
Commenting on this story:
Sullivan isn’t on trial because his company suffered a data breach. He’s on trial because he failed to disclose a breach to customers that affected those customers’ private information. I think that’s an important distinction. Penalizing companies that suffer data breaches is tricky. Companies should be held accountable when they fail to secure users’ private data. However, punishing a business because it was breached is victim blaming; Uber’s data was stolen by cybercriminals. We don’t want to discourage businesses from disclosing breaches in the future. Sullivan should be held responsible for failing to inform users that their data was breached, not because the data was breached. As of 2018, every state in the US has a data breach notification law.
Authorities should do a deeper dive to investigate this breach, to determine whether or not other company executives as well as the company’s board of directors knew more about the breach than they are claiming. Not only should Sullivan be held culpable for hiding the data breach, higher executives should be similarly punished if it is found that they had knowledge of the incident before its exposure. While I don’t think jail terms would do any good, a few expensive fines here and there would be a good thing to see happen.