The filing system of modern law enforcement agencies contains a diverse array of characteristics. Among these are individuals who, in their careers, made contributions to advancing and defending national security, and public institutions, only to later find themselves accused of obstructing legal procedures and failing to report potential crimes.
One such case is that of Joe Sullivan, who was found guilty in 2022 on charges of obstructing an official proceeding and misprision of a felony, and subsequently sentenced to three years probation earlier this year. The former Uber chief security officer was implicated in a case related to a 2016 data breach, where hackers threatened to expose the data of 50 million Uber customers and drivers. The case revolved around Uber’s decision not to report the breach to the Federal Trade Commission, as mandated by law.
Sullivan spoke to TechCrunch recently and expressed his surprise and disappointment regarding the verdict. He explained, “We thought we were going to win the trial. We barely put on a defense because my lawyers were like, ‘we don’t need to.’ I didn’t testify, so the jury never saw me. They just saw the anonymous Uber executive with a mask on.”
Following his conviction, Sullivan’s case caused anxiety among fellow CSOs and CISOs, who wrote letters to the case’s sentencing judge, William Orrick, praising Sullivan’s actions and expressing concerns about facing similar legal penalties for simply doing their jobs. Sullivan, now working as CEO at a non-profit dedicated to providing humanitarian and technology aid to Ukraine, shared that he receives calls every week from security professionals seeking advice on staying in the industry and taking on higher-ranking roles.
Despite the initial impact of the case, Sullivan has taken the opportunity to advocate for better cybersecurity practices and to caution others in the industry. He believes that a collaboration between the public and private sectors, along with sound regulation, is essential to fixing the “broken” cybersecurity industry. He praised the incoming data breach disclosure rules by the U.S. Security and Exchange Commission, emphasizing the need for leaders in the cybersecurity field to make their voices heard and shape future regulations.
Overall, Sullivan’s case has opened up discussions about the responsibilities and legal liabilities of security professionals, sparking conversations about the need for better practices and collaboration between the government and private sector. As the divide between cybercrime and cybersecurity continues to grow, challenges like these will serve as pivotal moments for the industry to reflect, redefine regulations, and improve practices.
