Former Uber security head Joe Sullivan was found guilty in San Francisco federal court that stemmed from a 2016 hack — details of which he tried to keep hidden. But experts told Bloomberg the case may be an exception, not the rule, when it comes to the government pushing for more disclosure. In fact, the Justice Department didn’t charge Mr Sullivan with violating disclosure regulations, but obstruction of justice and concealing a felony amid a probe by the Federal Trade Commission.
Still, the conviction comes at a time when lawmakers and regulators are pushing for more accountability on hacks.
In March, US President Joe Biden signed sweeping cybersecurity legislation that mandates certain sectors report breaches to the U.S. Department of Homeland Security within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment. Many states now require companies to report breaches, and the US Securities and Exchange Commission has proposed new cyber-reporting laws.
For years, companies have turned to outside lawyers to handle such incidents, a practice that’s grown. In 2018, more than 4,000 companies retained legal counsel to help with their cyber responses; by 2021, that number doubled, according to data from firms that were surveyed by insurance firm Advisen and analysed by Bloomberg News. The cybersecurity firm Crowdstrike Holdings told Bloomberg that 42 per cent of its engagements last year were under privilege with outside counsel.
Even when companies do decide to disclose, it can be so generic that it isn’t useful to investors or the public. “I worry that these judgments have too often erred on the side of nondisclosure, leaving investors in the dark — and putting companies at risk,” said former SEC Commissioner Robert J. Jackson Jr. in 2018.
After a company is breached, outside law firms often bring in a cybersecurity company for what’s known as incident response, or IR. But now, with ransomware actors — who will likely never see the inside of a US courtroom — the attorney-client privilege may be overused and misplaced, according to experts who study cybersecurity policy.
“External counsel go beyond merely providing legal advice,” wrote Daniel Woods, a researcher who’s also published on this topic with Ms Wolff. The lawyers control who gets hired to respond to the breach and “prioritise protecting client-attorney privilege above other concerns.”
Michael Risch, the vice dean at Villanova University’s law school, said having lawyers involved is meant to protect a firm and can actually guide companies to follow regulations more closely than had they not consulted an attorney. The antidote to secrecy, he said, “is to make laws that require companies to disclose more. And then the attorneys would say, ‘You have to disclose.’”
Beyond legal machinations, companies are often tight-lipped when breaches do happen. The phrases “cybersecurity incident” and “IT incident” — a common shorthand phrase often accompanied by few details — appeared in more than 1,000 newspaper and wire stories during the last five years, according to clippings archived by LexisNexis.