Trick question for CSOs: When does a security incident qualify as being a data breach, triggering notification or other regulatory rules?
The answer is that it’s “a very complicated question” that cybersecurity leaders should leave to their legal team while they stay fully in the loop, said former Uber CSO Joe Sullivan, sharing lessons learned from the U.S. Department of Justice’s successful prosecution against him.
With a company such as Uber having to comply with numerous regulations across the 100 countries in which it operates, “there’s no possible way that any of us in operational roles could be able to keep up with that, and so we shouldn’t even try,” he said. “I didn’t even try and I wouldn’t even try.”