Executive Accountability for Risk Management

The question of executive accountability for risk management is again in the public debate. It comes after a federal jury convicted Joe Sullivan of two charges related to his attempt to cover up a 2016 security incident at Uber, where hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers.

A little background. At the time of the 2016 hack, the FTC was investigating Uber’s security practices following its 2014 data breach.

Then CEO Travis Kalanick and in-house attorney Craig Clark were informed of the incident within six hours. In a courthouse news article, it’s reported that the C-Suite executives were aware of and approved actions by both Clark and Sullivan to cover up the incident but prosecutors said there wasn’t enough evidence to charge Clark or Kalanick. Ultimately, Clark was given immunity to testify against Sullivan. Investors forced Kalanick to resign as chief executive in 2017, after a series of privacy scandals and complaints of discrimination and sexual harassment at Uber.

Vikramaditya Khanna wrote an interesting piece in PROMARKET that’s directly applicable. Vikramaditya writes that in the United States, there is the notion that executives should be liable in cases like this, it’s called the Responsible Corporate Officer doctrine. The idea is that a senior executive who has a supervisory role might be held liable for the failings of subordinates when, by reason of the supervisor’s actual authority, they had the power to prevent a violation and failed to do so. It can be imposed both in civil and criminal liability even when they are not negligent. However, thus far it has been used sparingly (primarily for public welfare offenses such as violations of environmental and food and drug law, although sometimes for securities fraud, consumer fraud, and antitrust).

Judges, prosecutors, and scholars in both law and business have advocated for greater individual liability. The primary difficulty in convicting is too little evidence of behavior or state of mind. There seems to be a growing consensus that this situation may encourage whistleblowers to provide the information.

Jody Westby in a recent Forbes article actually takes the position that the government got it wrong. Jody writes that Sullivan was convicted for failing to report a data breach which is not a crime, but that by paying the hackers he concealed the attack and obstructed the ongoing FTC investigation. Jody argues that prosecutors should have targeted the board and C-suite (Kalanick) to lay bare the lack of management and oversight of the cybersecurity program and associated risk.

Mathew Schwartz in a recent article for BankInfoSecurity highlights that in written communications, it’s clear Kalanick knew about the breach and attempt to use the bug bounty program to cover it up. So who should really be responsible?

The crux of the FTC issue was communicating the new breach information as what they considered part of the ongoing investigation. When it came to informing others, “If we couldn’t contain, it’s legal’s job to decide,” Sullivan said.

A spokesman for Sullivan previously said that every action Sullivan and his breach response team took involved close collaboration “with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies.” Sullivan is now serving as CSO of Cloudflare.

Uber is a different company now. Literally, 90% of current Uber employees joined after Dara Khosrowshahi become CEO in 2017. Dara rewrote the company’s values, and corporate governance, and installed rigorous controls and compliance.

What can you do? Register now for a 30-day gap analysis and get actionable recommendations to strengthen your executive oversight.  Contact Charlene@fismacs.com or call (301) 346-3752 to schedule your free consultation today. Download the program brochure here.

CISO Strategy