Recent holdings in Delaware case law work to collectively narrow, under certain circumstances, the deference given to boards, particularly with respect to meeting their duty of loyalty and good faith oversight. D&Os have a fiduciary duty to protect the assets of a corporation. Uber should have had a cyber governance framework in place that would have informed them about the hack so it could be appropriately handled and reported. The Government had the opportunity to send a shot across board tables and hold them accountable Uber’s C-suite should have been managing cyber risks and its board should have been exercising oversight. Government has been pounding on the business community for two decades to improve their cybersecurity programs, and it had the ammunition it needed to go after the directors and officers of Uber for concealing the breach and not reporting it. They are also important because they are central to why this case was the wrong one to take to court. These questions are important because they go to the heart of what cyber governance is all about. ![]() Why didn’t he escalate this to his senior management team and Board of Directors? Why didn’t the company have a governance process in place that would have required such escalation? Why wasn’t the General Counsel informed of the incident? Why wasn’t the General Counsel involved in reviewing the non-disclosure agreement that Joe Sullivan was presenting to the hackers on behalf of Uber? Why didn’t the legal department have procedures in place that would have required in-house attorney Craig Clark to notify the General Counsel of this legal issue? Why didn’t the company ensure security and legal duties were segregated so one person could not act as both CSO and legal counsel? (At trial, the General Counsel noted that, while Sullivan was an attorney, he was not part of the General Counsel’s office.) Kalanick was CEO of the organization and knew of the breach the day after it occurred. While Sullivan may be responsible for the “concealment,” it was the decision of Kalanick and possibly other senior management not to make a formal breach disclosure. So…why hang the CSO for the concealment of the breach and ignore Kalanick and the company’s other D&Os? Remember, there were two separate acts here - Sullivan’s “concealment” of the breach (paying the hackers to not disclose the breach) and Uber’s non-disclosure of the breach. At the time that Joe Sullivan was communicating with the hackers and getting them to sign a non-disclosure agreement, the company was only under the obligation of the CID. Although much has been made about the proposed settlement between Uber and FTC, which obligated Uber to implement a strong cybersecurity program and prohibited it from misrepresenting its security practices, that proposed settlement was not entered into until Aug– nine months after the 2016 breach. Other than the CID, there was no obligation on the company to notify the FTC at the time of the breach. The Federal Trade Commission building in Washington. ![]() Irrespective of any role Sullivan had in negotiating with the hackers, it was not his sole responsibility to provide information to the FTC or any other agency. Uber’s General Counsel was involved in managing the FTC’s inquiry. That CID was a responsibility of the company, not Joe Sullivan. ![]() When Sullivan joined Uber, the company was under investigation by the FTC regarding a much smaller 2014 breach and had received a Civil Investigative Demand (CID) from the agency that required the company to provide information about other instances of unauthorized access. The Company Had The Responsibility Not a Single CSO According to testimony in the trial, Sullivan did actively work to keep the hack under wraps and away from regulators, the public, and the press. DoJ claimed this last provision was a false statement since the hackers had, in fact, obtained Uber data. Sullivan struck a deal with the criminals that they would be paid the requested $100,000 if they signed a non-disclosure agreement stating (1) they would not disclose the breach, and (2) they had not taken or stored or used/disclosed any Uber data.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |