The Troubles Caused by Ambiguous Cyber Disclosure Rules and CISO Criminalization

Disclosing Cybersecurity Incidents: Navigating a Vague Legal Landscape

With the recent sentencing of former Uber CISO Joseph Sullivan for his role in covering up a 2016 data breach at the company, the stakes for chief information security officers (CISOs) and their teams have significantly increased. The lack of clear rules on cybersecurity incident disclosure has left many CISOs concerned about potential liability. In an interview with Dark Reading, SolarWinds CISO Tim Brown has called for new federal regulations that outline CISO requirements for preventing and responding to cybercrime. Brown argues that CISOs need something in the mold of the Sarbanes-Oxley Act, which details financial reporting regulations for chief financial officers (CFOs).

The Disclosure Maze

The disclosure landscape is full of hazy rules and emerging guidelines, which makes it difficult for CISOs and their teams to navigate the disclosure process. In-house counsel and outside legal advisers have become essential in helping organizations navigate this complex legal landscape. While transparency is important for trust and the flow of information, the pressure for rapid disclosure could rob security teams of priceless time to respond appropriately to cyberattacks. Dave Gerry, CEO of Bugcrowd, believes that incident disclosure needs to allow for the opportunity for the security organization to rapidly patch systems, fix code-level vulnerabilities, eject attackers, and generally mitigate their systems before any disclosures are made.

Data ‘Duty of Care’ Defined

US state attorneys general are pushing for tougher regulations around cybersecurity incident disclosures, making the disclosure landscape even more confusing. Each state has its own unique disclosure landscape riddled with broad, ill-defined requirements like taking “reasonable” actions to protect data. Colorado AG Philip Weiser took an important step toward clarifying CISO obligations last January when he offered a definition of “Duty of Care” rules under the Colorado Privacy Act, requiring reasonable action be taken to protect personal data. However, for now, the rules still leave plenty of room for enterprise cybersecurity teams to get it wrong.

Editorial: The Need for Clarity and Standardization

The lack of clear rules on cybersecurity incident disclosure has become a critical issue, and there is a need for clarity and standardization. At present, there is a vast and evolving mousetrap of rules, regulations, executive orders, and case law dictating how and when disclosures need to occur. The litany of hazy rules and emerging guidelines doesn’t provide CISOs and cybersecurity teams with a clear path to compliance. This complex legal landscape not only creates stress and angst for teams but also poses a significant risk of criminalization. The Sarbanes-Oxley Act for CISOs proposed by Brown might be a good starting point in outlining CISO requirements for preventing and responding to cybercrime. However, it is high time for policymakers and legislators to come together to develop clear and comprehensive federal regulations that would provide a uniform guidance for entities experiencing a cybersecurity incident.

Advice: Keep Legal Teams Closely Involved

SolarWinds’ Brown recommends keeping legal teams closely involved in all cyber incident responses. Given the complexity and vagueness of the current legal landscape, it is necessary to have legal advisers to ensure compliance with regulatory and legal requirements. CISOs and their teams should also coordinate with legal and communications stakeholders to ensure they are meeting regulatory and legal requirements and providing the appropriate level of information to the right consumers of the information. Enterprises should ensure that they have in-house counsel or outside legal advisers with cybersecurity expertise to assist them in navigating the complex legal landscape and reducing the risk of criminalization.