9 Notable CISO Legal Cases

Security Careers

Security Careers

5 min read
9 Notable CISO Legal Cases
Photo by Ben Rosett / Unsplash

Several other high-profile cases have involved CISOs or cybersecurity leaders, demonstrating the growing legal risks and responsibilities associated with the role. Here are some notable examples:

Analyzing Two Pivotal CISO Cases: USA v. Sullivan and SEC v. SolarWinds
The landscape of cybersecurity governance continues to shift as two major cases bring significant attention to the role of Chief Information Security Officers (CISOs) in […]
CISO MarketplaceCISO

1. Equifax Data Breach (2017)

  • CISO Involvement: Susan Mauldin, the former CISO of Equifax, was heavily scrutinized for her role in the handling of the massive 2017 data breach, which affected approximately 147 million people.
  • Key Issue: The breach was caused by a failure to patch a known vulnerability in Apache Struts, a web application framework. Mauldin and other executives faced criticism for not acting quickly enough to remediate the issue.
  • Consequences: While Mauldin herself was not criminally charged, the breach led to significant fallout for Equifax, including the resignation of its CEO, a $700 million settlement with the FTC, and lawsuits against the company. Mauldin's background in music (her degree was in music composition) became a point of media focus, questioning her qualifications for the role.
CCO and DPO Legal Case and Corporate Fines
Chief Compliance Officers (CCOs) and Data Protection Officers (DPOs) have also faced increased scrutiny in recent years, especially as data privacy regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have imposed stricter obligations on companies to protect personal data. Here are notable cases
Compliance Hub WikiCompliance Hub

2. Target Data Breach (2013)

  • CISO Involvement: The Target data breach resulted in the theft of 40 million credit card numbers and personal information of 70 million customers. Target's then-CISO, Beth Jacobs, was part of the leadership team responsible for the incident.
  • Key Issue: The breach exposed weaknesses in Target’s security controls, specifically in relation to its failure to respond to alerts that flagged suspicious activity prior to the breach.
  • Consequences: While Jacobs was not individually charged, she, along with several other executives, resigned in the wake of the breach. Target also faced multiple class-action lawsuits and ultimately paid out a $18.5 million multistate settlement in 2017.

3. Yahoo Data Breaches (2013–2016)

  • CISO Involvement: Alex Stamos, who served as Yahoo's CISO during the time of its massive breaches, faced criticism for Yahoo’s handling of the breaches.
  • Key Issue: Two major breaches were disclosed, affecting 3 billion accounts. Yahoo was accused of delaying the disclosure of these breaches and for inadequate cybersecurity measures.
  • Consequences: Yahoo’s mishandling of these incidents is considered one of the factors that led to a $350 million reduction in the company’s sale price to Verizon. Stamos later left Yahoo to join Facebook, where he dealt with the aftermath of the Cambridge Analytica scandal.

4. Capital One Data Breach (2019)

  • CISO Involvement: Michael Johnson, Capital One's CISO at the time of the breach, faced significant scrutiny following a breach that exposed the personal information of over 100 million customers.
  • Key Issue: The breach was caused by a misconfigured web application firewall that allowed an attacker to gain unauthorized access to customer data. The CISO's responsibility in ensuring proper cloud security controls became a focal point of investigation.
  • Consequences: While Johnson was not individually charged, Capital One faced over $80 million in fines from the Office of the Comptroller of the Currency (OCC) for failing to establish effective risk management processes.

5. Desjardins Data Breach (2019)

  • CISO Involvement: Sébastien Provencher, the former CISO of Desjardins Group, was closely involved in managing the fallout from a massive insider breach that compromised the personal information of 4.2 million customers.
  • Key Issue: An insider exfiltrated sensitive customer data over the course of several months without being detected, exposing weaknesses in Desjardins’ internal security controls.
  • Consequences: Desjardins faced heavy regulatory penalties, lawsuits, and damage to its reputation. Provencher stepped down from his role amid the fallout, as the breach called into question the adequacy of insider threat detection systems.

6. Uber’s 2016 Data Breach Cover-Up

  • CISO Involvement: Aside from the aforementioned Joseph Sullivan case, this incident also resulted in regulatory action against Uber for failing to notify affected individuals of the breach.
  • Key Issue: Uber paid hackers to keep the breach quiet, which raised ethical and legal concerns regarding how security incidents are managed.
  • Consequences: In addition to Sullivan’s conviction, Uber agreed to a $148 million settlement with state authorities in the U.S. to resolve claims it covered up the breach. This case has set a precedent for how breaches must be reported and the role of CISOs in ensuring transparency.

7. Morgan Stanley Data Breach (2021)

  • CISO Involvement: Morgan Stanley’s CISO was involved in managing the aftermath of a breach caused by third-party vendors who mishandled sensitive information.
  • Key Issue: The breach occurred when decommissioned hardware still containing unencrypted client data was sold to unauthorized third parties. The failure to secure data during hardware disposal became a central focus.
  • Consequences: Morgan Stanley was fined $60 million by the OCC and faced lawsuits. The incident highlighted the CISO’s role in ensuring that third-party vendors adhere to stringent data security protocols.

8. Marriott International Data Breach (2018)

  • CISO Involvement: The breach exposed sensitive data of approximately 500 million customers, and Marriott's CISO and security team were heavily involved in the breach response.
  • Key Issue: The breach was traced back to 2014, affecting Starwood’s guest reservation database, which Marriott had acquired. The incident called into question the due diligence conducted during mergers and acquisitions.
  • Consequences: Marriott faced a fine of £18.4 million (reduced from £99 million) by the UK Information Commissioner’s Office under the GDPR. While the CISO was not charged, the case has been a landmark for CISO responsibilities in M&A transactions.

9. T-Mobile Data Breach (2021)

  • CISO Involvement: T-Mobile’s CISO was thrust into the spotlight following a breach that compromised the personal data of over 40 million customers.
  • Key Issue: The breach resulted from security vulnerabilities in T-Mobile’s systems. The company faced criticism for failing to implement adequate safeguards, even after prior breaches.
  • Consequences: The breach led to a $350 million settlement in a class-action lawsuit, as well as a commitment to spend an additional $150 million on cybersecurity enhancements. The breach underscored the importance of continuous improvement in security practices for CISOs.

The role of the CISO has evolved from purely technical to include legal, regulatory, and ethical responsibilities. Increasingly, CISOs are being held accountable not only for how they handle incidents but also for how they communicate with regulators, senior management, and the public. Some key takeaways from these cases are:

  • Transparency is Key: Many of these cases involve delays or omissions in breach reporting. CISOs must ensure timely disclosure and internal communication to avoid legal ramifications.
  • Vendor Management: Several breaches (e.g., Morgan Stanley, SolarWinds) highlight the risks associated with third-party vendors. CISOs must have stringent controls in place for vendor risk management.
  • Regulatory Compliance: The growing complexity of regulatory environments like GDPR, CCPA, and U.S. federal oversight means that CISOs need to stay current on compliance and data protection laws.

These cases are crucial for understanding the risks and responsibilities associated with the CISO role. As cyber threats grow, so too do the legal expectations surrounding corporate cybersecurity leaders.

These examples show that CISOs are increasingly seen as accountable for corporate security failures, and the consequences of mismanagement can range from financial penalties to criminal charges.

Read more

Blockchain Security Experts: Safeguarding the Future of Decentralized Technology

Blockchain Security Experts: Safeguarding the Future of Decentralized Technology

Introduction The rapid expansion of blockchain technology has introduced groundbreaking innovations across various industries, from finance to supply chain management. However, with this evolution comes the challenge of ensuring robust security. Blockchain security experts have become essential in safeguarding decentralized systems, smart contracts, and digital assets against sophisticated cyber threats.

By Security Careers