Cybersecurity Insights

The Joe Sullivan Case: A Warning to All CISOs


From left: Jody Westby, Head, Global Cyber Risk LLC and Dawn Kristy, CEO and Founder, The Cyber Dawn
Dawn Kristy CEO and Founder of The Cyber Dawn, is a lawyer who specializes in cybersecurity insurance. She has 20 years of experience in complex insurance and reinsurance clams, cyber professional liability directors’ and officers’ liability, and general and environmental liability. For the last 11 years, Dawn has focused on cybersecurity and technology and professional liability claims. Dawn also served as VP of Cyber Solutions for Cyber Armada, a cyber insurance broker, and authored the award-winning book 33 Ways Not To Screw Up Cybersecurity (2022) (part of the 33 Ways Series).

Joining Dawn is Jody Westby, the Head of Global Cyber Risk LLC and a lawyer who is well known in the cybersecurity space. She focuses on privacy security, cybercrime, and cyber risk management. Jody has been in the space for 30 years dealing with technical legal policy and business law related to various different risks and cybersecurity issues. She has published seven books on cybersecurity, cybercrime, privacy, and cyber governance, including the D&O Guide to Cyber Governance: Fiduciary Duties in the Digital Age (2021). Jody serves as an Adjunct Professor to Georgia Institute of Technology’s School of Computer Science, was previously Adjunct Distinguished Fellow to Carnegie Mellon CyLab, and served as senior managing director for PricewaterhouseCoopers (PwC). She is co-chair of the ABA’s Privacy and Computer Crime Committee (Science & Technology Law Section) and co-chair of the ABA Cybercrime Committee (Criminal Justice Section).

Dawn and Jody join us today to dive deeper into the Joe Sullivan Case, the “crime”, the verdict, CISO liability, and responsibilities for the duty of fiduciary care.

Joe Sullivan was a former prosecutor from DOJ and well respected in the cybersecurity industry at the time (in 2016). When the breach happened, Joe was the CISO at Uber and the breach involved PII on 57 million users and 600,000 of its drivers. The criminals contacted Joe, with a demand for $100,000. He met with the Uber in house attorney, Craig Clark, and proposed that they pay 100,000 out of a bug bounty program to the cyber criminals…


In this episode of Cybersecurity Insights, Dawn and Jody discuss:

  • What they think was wrong with the prosecutors case;
  • What’s currently driving the startup governance space;
  • Recommendations for protection for CISOs