Cybersecurity executives are seeing more and more civil and criminal legal liability from breaches that occur on their watch (if not handled correctly). I discuss this trend in the context of Uber's 2016 breach, the recent accelerating criminal proceedings against Uber's then CSO (often a similar role is styled CISO), talk some very basic best practices around what is supposed to happen, and discuss how this trend has chilled enthusiasm for ransomware payments and bug bounty programs.