On October 5, 2022, a federal jury convicted Joseph Sullivan, former Chief Security Officer (“CSO”) of Uber Technologies, Inc. (“Uber”) of criminal charges over his response to a data breach incident in 2016. Sullivan was hired as Uber’s CSO in 2015, at which time the Federal Trade Commission (“FTC”) was investigating Uber’s data security program and practices due to a data breach Uber had suffered in 2014. As CSO, Sullivan played a central role in Uber’s compliance with the FTC investigation. Specifically, Sullivan would supervise Uber’s responses to FTC questions, participate in any presentations to the FTC, and testify under oath to the FTC regarding Uber’s data security practices. In the midst of this investigative process, Sullivan learned that Uber had suffered another breach in the form of a ransomware-like attack.
Ransomware is a form of malware that encrypts files on a device rendering them unusable until the user typically pays the bad actor(s) a ransom in exchange for decryption. In Sullivan’s case, the hackers had reached out to Sullivan directly informing him that they had stolen a significant amount of user data from Uber and they wanted a large ransom in exchange for the deletion of the data. Uber employees working under Sullivan were able to verify that the hackers had successfully stolen the records of 57,000,000 Uber users and 600,000 driver license numbers. Sullivan then made several statements instructing those working under him to keep the new data breach a secret. From here, Sullivan arranged to pay off the hackers and had them sign non-disclosure agreements in which the hackers agreed not to reveal the breach to anyone and falsely stated that the hackers did not take or store any data in their hack. In December 2016, Uber paid the hackers $100,000 in bitcoin and in the summer of 2016, Uber entered into a preliminary settlement with the FTC without Sullivan ever disclosing the subsequent data breach to the FTC.
In the fall of 2017, Uber’s new management eventually discovered the truth surrounding the 2016 data breach. Accordingly, in November 2017, Uber disclosed the breach to the public and then to the FTC. Additionally, Uber identified the two hackers from the 2016 data breach so that the Department of Justice (DOJ) were able to prosecute the hackers in the Northern District of California. Throughout the hackers’ prosecution, it became clear that after Sullivan assisted in covering up Uber’s second data breach, the hackers were able to commit an additional ransomware attack on another company.
Accordingly, the DOJ indicted Sullivan and he was ultimately found guilty of obstructing justice under 18 U.S.C. § 1505 and committing a misprision of felony under 18 U.S.C. § 4. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum of three years in prison for the misprision charge.
Following the guilty verdict, DOJ leadership made a public statement declaring that the DOJ “expect[s]” companies with access to sensitive consumer data “to protect that data and to alert customers with appropriate authorities when such data is stolen by hackers” and that the DOJ “will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation…than in protecting users.” Similarly, the Federal Bureau of Investigation (FBI) declared that following the verdict the message is now clear: “companies storing their customers’ data have a responsibility to protect that data and to the right thing when breaches occur.”
This case is notable not only because it is the first time a company executive has ever faced criminal prosecution over their response to a data breach, but also because at the time of prosecution, there was no federal statute requiring companies to disclose data breaches to the federal government. Accordingly, some commentators felt that the guilty verdict blurred the line between “covering up” a data incident and merely declining to report it. These industry members felt like the DOJ statements suggested that a mandatory duty to disclose to the federal government already existed and that any future nondisclosure would be prosecuted as a cover-up. Moreover, some corporate executives voiced concerns that they could be scapegoated if their company were ever perceived to have covered up a cyberattack. Other commentators dismissed this verdict as a non-event, finding the extreme facts of the case to mean that the case was an outlier and the duty to disclose for most companies remained the same.
On December 6, 2022, the DOJ Principal Associate Deputy Attorney General, Marshall Miller, made comments to quell some of the above-mentioned fears. In addressing Sullivan’s conviction, Miller stated that “The prosecution of the Uber CSO stemmed from an extreme set of actions that represent an acute outlier from regular compliance practice.” Marshall added that, “No one should take away from this case that good faith compliance decisions will be the subject of criminal prosecution.” Even though Sullivan’s conviction is likely an outlier, there are some important takeaways that businesses and individuals involved in a data breach should keep in mind to avoid criminal liability.
- A preexisting, ongoing government investigation changes a company’s duty to disclose.
- Keep your bug bounty program and ransomware payment procedures separate.
Following, Sullivan’s conviction and the DOJ’s comments, it is clear that merely failing to disclose a data breach is not a crime. Rather, the fact that Uber was already in the midst of an FTC investigation into its data security practices was central to the charges against Sullivan. Specifically, the court held that because the FTC had served a detailed civil investigative (“CID”) demand on Uber in 2015, demanding details about any other instances of unauthorized access to user personal information and information about Uber’s data security program in general, Sullivan had a duty to update the CID with the new data breach. Accordingly, the takeaway is that when there is a preexisting and ongoing regulatory investigation into a previous data breach at your company or into your company’s cybersecurity program as a whole, there is likely a duty to disclose any new incidents to the same government agency.
It is also important to note that the DOJ primarily based their misprision charge on Sullivan’s use of Uber’s bug bounty program to hide the details of the 2016 breach. A bug bounty program essentially provides financial incentive to hackers to find and report vulnerabilities in a company’s system before criminal-hackers do so. This allows the company to preemptively fix the bugs before a data breach occurs. Industry members and these bug-bounty hackers have collaborated to create coordinated vulnerability disclosure (CVD) practices and companies typically condition their bug bounty programs on following these CVD rules or a similar set of rules.
Accordingly, the takeaway from Sullivan’s verdict is that companies should make clear when the company is making a ransom payment versus a bug bounty payment. Bug bounty payments should be reserved solely for hackers that are following the explicit rules of the company’s bug bounty program. If there is any reason to believe that the hacker was not following the rules of the bug bounty program, companies should treat the matter as an illegal ransomware attack and follow reporting requirements accordingly. Lastly, it is important for companies to be consistent with their own application of their bug bounty program. At trial, the DOJ placed a lot of emphasis on the fact that the payment Sullivan made to these hackers was ten times the limit of Uber’s bug bounty program and that Sullivan arranged for the payment without following the usual process required by Uber’s bug bounty program.
- Be careful about information included within cyber incident response materials and communications.
Lastly, it is important to note that the DOJ repeatedly referenced internal company communications and used other Uber executives as key witnesses to convict Sullivan. For example, the DOJ made much of the fact that Sullivan told those under him that they couldn’t let news of the data breach out. It is not uncommon for companies to keep information about a cyber incident private, and thus the last takeaway is that companies should minimize response materials in writing. Moreover, it is important to note that companies need to be careful with what they put in writing even for documents to general counsel because legal privilege does not always apply, or may be waived, as to particular documents and communications created in the incident response process.