The Department of Justice (DOJ) recently announced that Joe Sullivan, Uber's former Chief Security Officer, was charged with obstruction of justice and misprision of a felony in connection with a 2016 data breach at Uber and his actions in responding to the incident. DOJ's decision to prosecute Sullivan surprised many of us on our first read. The case appears to be one of the few times an American corporate executive has faced federal criminal charges and prison time for his or her response (or lack of response) to a data breach. Raising eyebrows further, some of the more muscular rhetoric coming out of DOJ—that the Department expects "prompt reporting of criminal conduct"—appeared to suggest that it decided to go after Sullivan because he failed to disclose a crime that someone else committed. Puzzling indeed, especially in light of the usual rule of thumb that failing to disclose a crime, without something more (such as an affirmative act of concealment), is not typically something prosecutors charge. Alarming sound bites catch notice, so this one definitely warranted a second cup of coffee and a closer read.
So what was really going on? Did DOJ really charge Sullivan just because he failed to live up to a new "prompt reporting of criminal conduct" standard? Probably not. First, according to the charges, at the time Sullivan learned of the 2016 breach he was assisting Uber's response to a then-ongoing FTC investigation about a previous 2014 data breach. He was intimately involved in the FTC's inquiries and was aware that the investigation focused on data security, data breaches, and the protection of user data. Ten days after he provided sworn testimony to the FTC about the 2014 data breach, he learned of the new 2016 data breach, and allegedly understood its similarity to the 2014 data breach, but nevertheless told his employees to keep the information about the breach "tightly controlled." He continued to respond to FTC inquiries but neglected to tell either the FTC or Uber's own investigation attorneys about the breach.
Second, and likely worse from DOJ's perspective, Sullivan allegedly took steps to actively conceal the hack. As part of the alleged cover up, he reportedly relied on Uber's "bug bounty" program, which is designed to incentivize "white-hat hackers" to identify security vulnerabilities in exchange for cash rewards. The terms of Uber's bug bounty program explicitly prohibited payment to hackers who had accessed data about Uber's users and drivers. Yet Sullivan allegedly helped Uber arrange to pay the hackers $100,000, an amount which far exceeded the nominal $10,000 cap, and then allegedly went further to insist the hackers sign an NDA he knew to falsely represent that the hackers had not obtained any data during their intrusion. When Uber hired a new CEO in 2017, Sullivan also allegedly misrepresented the circumstances of the 2016 breach by removing details in a summary provided to the new CEO that would have revealed the true scope of the hack.
So, rhetoric about the need to "prompt[ly] report[] criminal conduct" notwithstanding, Sullivan's allegedly proactive efforts to cover up the data breach probably was the thing that pushed the prosecution to see his actions as more than just a failure to disclose a crime, and into the criminal territory of an affirmative act to conceal the crime. That, of course, was welcome news for the purists among us, who will take great comfort in knowing that the law did not change overnight, and that concealment remains an element of the crime of misprision of felony.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
