Cybersecurity awareness month

The Buck stops here: The Uber Data Breach Conviction Shows Security Execs What Not to Do.

If IT leaders practice due diligence (i.e. do the right things) then they will not be crushed in a privacy crash.

On Oct 5 2022 former chief security officer (CSO) Joesph Sullivan was found guilty of federal felony charge obstruction of justice for hiding the 2016 Uber Inc. breach from the Federal Trade Commission, and of actively hiding its data breach and secret payments from legal authorities and customers. The maximum penalty for the combined charges could be up to eight years in prison.

Hackers stole 57 million records of Uber drivers’ and riders’ personal and credit card information.

The cover-up Sullivan orchestrated was outed in 2017 when Uber appointed a new CEO and also initiated an internal investigation into the data breach.

Cyber-security and data privacy require trusted corporate decision making. Sullivan claimed that Uber’s legal department was responsible for notifying government authorities of the breach. This is an example of a bad executive decision that shifted blame and avoided taking responsibility.

There are multiple US state governments, and Federal agencies such as FTC, SEC, and FDA which all take part in legal data protection actions. They are increasing the amount of fines and oversight penalties to discourage gross negligence and encourage responsible breach reporting.

A company’s specific decision-making authority is rarely spelled out. The question of “who has the executive decision authority?” can send teams and individuals running in different directions looking for approvals. This can be especially problematic during a crisis such as a data breach. Crisis requires ethical effective and immediate decisions. Due care and due diligence protect the business and its customers personal data.

The Bucks Stops Here

“The buck stops here” is a phrase that was popularized by U.S. President Harry S. Truman, who kept a sign with that phrase on his desk in the Oval Office.

If IT leaders had practiced due diligence (i.e. done the right things) then they would not have been as impacted.

Executive governance must bring into the company the expertise needed, such as that provided by Privacy Test Driver, for Privacy protection. This is more than just purchasing more hardware and software applications, but also to discover, understand and practice better data security and privacy protection best practices for market and customer success.

The senior board of all corporations need to make the best possible resources available for cybersecurity and incident response. These are required steps for due care and due diligence which allow senior management to responsibly accept those decisions that affect corporate risk management.

Contact Privacy Test Driver to begin your journey.

Practice must be focused, determined, and in an environment where there is feedback. Malcolm Gladwell