It's very unusual these days that an executive face criminal liability related to corporate wrongdoing so the story of ex-Uber CISO Joe Sullivan is a notable one. I discuss the relevant 2016 ransomware incident, the key legal role played by notification of law enforcement (or the lack thereof in this case), the gray zone around bug bounty programs, and the broader debate about when criminal liability is appropriate. I think this story has many interesting angles and I will also digress a little into executive compensation, the Theranos trials, and the legal meaning of the "O" in your favorite "C?O" title.