One of the long-standing ethical challenges cybersecurity professionals have always faced is there is no such thing as privileged communications between them and the organizations that employ them. As a result, there are no commonly agreed-upon ethical procedures that cybersecurity professionals can rely on when there is a conflict between obligations to their employers and the greater good.
This issue is now at the core of two prominent cases that are seeing the cybersecurity community choosing sides. The first case involves former Uber chief security officer Joe Sullivan, who was convicted of “obstruction of the proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of a 2016 hack at Uber.”
A Federal grand jury agreed with the government that failing to disclose to regulators that Uber has used a bounty program to pay off cybercriminals that were extorting the company after using a breach to access the personal information of more than 50,000 customers. The issue at hand is not so much the breach was handled as much as it was whether failing to disclose it compromised a fiduciary responsibility to investors in a public company.
The second case involves Peiter “Mudge” Zatko, who filed a whistle-blower suit against his employer Twitter for both deceiving federal regulators and the board of directors about “extreme, egregious deficiencies” in its defenses against hackers and its meager efforts to fight spam. Filed with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission (FTC), the complaint alleges Twitter violated the terms of an 11-year-old settlement with the FTC by claiming that it had a solid security plan.
Naturally, there are those that applaud the filing of the lawsuit in the name of the greater good, while others wonder if an SEC whistleblower award has been a factor. These awards can be in the millions of dollars, and critics speculate that this may have been an incentive for the legal action.
Regardless of how either of these cases is resolved after what is sure to be years of legal wrangling involving multiple appeals, the scope of both the legal responsibilities a cybersecurity professional assumes, especially when working for a public company, are being put to the ultimate test. Withholding information that can have a material impact on the valuation of a company has always been considered a crime. The only thing that is really different now is that because data breaches impact stock valuations, the Federal government is applying the letter of securities law to cybersecurity professionals. Misrepresenting anything to Federal regulators, regardless of any non-disclosure agreements (NDA), is always going to be fraught with legal jeopardy.
At the same time, however, organizations should be able to engage in a frank conversation with cybersecurity professionals about the level of risk they are assuming without having to worry that everything said is going to show up in lawsuits shared with the public. Many business executives faced with that prospect will simply opt to discuss cybersecurity issues as little as possible. That’s likely to have a chilling effect that will prove counter-productive for all concerned. There needs to be a safe place where a dialogue can be had. That doesn’t mean a whistleblower complaint shouldn’t be filed when cybersecurity risks are ignored at the peril of shareholders but there needs to be a set of documented procedures that makes filling such lawsuits an absolute act of last resort.
Of course, many cybersecurity professionals will conclude they may be better off working for a private company that doesn’t have the same level of obligation to public shareholders. Most, no matter what type of company they work for, will continue to morally struggle with what to divulge. It’s not likely any type of privilege for cybersecurity professionals is ever going to be recognized by the courts. Instead, it will as always be up to each cybersecurity professional to follow their own conscience.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.