As Ex-Uber Executive Heads To Trial, the Security Community Reels

Joe Sullivan, Uber's former chief of security, faces criminal charges for his handling of a 2016 security breach. His trial this week has divided the security industry. From a report: Joe Sullivan was a rock star in the information security world. One of the first federal prosecutors to work on cybercrime cases in the late 1990s, he jumped into the corporate security world in 2002, eventually taking on high-profile roles as chief of security at Facebook and Uber. When the security community made its annual summer pilgrimage to Las Vegas for two conferences, Mr. Sullivan was an easily recognizable figure: tall with shaggy hair, wearing sneakers and a hoodie. "Everyone knew him; I was in awe, frankly," said Renee Guttmann, who was the chief information security officer for Coca-Cola and Campbell Soup. "He was an industry leader." So it came as a shock to many in the community when Mr. Sullivan was fired by Uber in 2017, accused of mishandling a security incident the year before. Despite the scandal, Mr. Sullivan got a new job as chief of security at Cloudflare, an internet infrastructure company. But the investigation into the incident at Uber continued, and in 2020, the same prosecutor's office where Mr. Sullivan had worked decades earlier charged him with two felonies, in what is believed to be the first time a company executive has faced potential criminal liability for an alleged data breach. Mr. Sullivan has pleaded not guilty to the charges. Mr. Sullivan stepped down from his job at Cloudflare in July, in preparation for his trial, which begins this week in U.S. District Court in San Francisco. Other chief security officers are following the case closely, worried about what it means for them. [...] At the very least, security executives are worried about being on the hook for potential legal bills. Charles Blauner, a retired CISO and cybersecurity adviser, said security chiefs had taken a strong interest in directors and officers insurance, which covers the legal costs of executives who are sued as a result of their work with a company. "A lot of sitting chief information security officers are going to their bosses and asking if they have D.&O. insurance and, if not, can I have it?" Mr. Blauner said. "They are saying, 'If I'm going to be held liable for something our company does, I want legal coverage.'" After being charged, Mr. Sullivan sued Uber to force it to pay his legal fees in the criminal case, and they reached a private settlement.

Read more of this story at Slashdot.