On May 4, 2023, Joseph Sullivan, the former Chief Security Officer (CSO) of Uber Technologies, Inc., was sentenced to three years' probation and 200 hours of community service in a precedent-setting case for the cybersecurity industry. On October 5, 2022, after a one-month trial, a jury in the U.S. District Court for the Northern District of California convicted Sullivan on federal charges of (1) obstructing a Federal Trade Commission (FTC) investigation of Uber's data security practices and (2) failing to report a felony. The charges resulted from Sullivan's efforts to conceal a data breach that exposed the personally identifiable information (PII) of 57 million Uber users. The sentence was imposed by U.S. District Judge William H. Orrick, who also presided over the trial.
While Sullivan avoided prison time, his conviction serves as a loud alarm bell for corporate officers, highlighting that they could face criminal liability in extreme cases for their actions, or lack thereof, when responding to a cybersecurity breach. Cybersecurity professionals and their counsel will be well advised to focus on and heed their legal and ethical obligations to resolve cybersecurity incidents with honesty and as much transparency and candor as possible.
Sullivan Yielded To Hackers' 2016 Ransomware Attack in the Midst of an Ongoing FTC Investigation
Uber hired Sullivan as its CSO in April 2015. At the time, Uber disclosed to the FTC that it had been the victim of a data breach in 2014. Subsequently, in May 2015, the FTC launched an investigation into Uber, requesting information on the 2014 data breach and Uber's general data security practices. As CSO, Sullivan helped steer Uber's response to the FTC investigation. Among other things, on November 4, 2016, Sullivan testified under oath to the FTC that Uber had taken steps to better secure its customers' data.
A mere ten days after providing testimony to the FTC, Sullivan became aware that Uber had been hacked again. The hackers claimed to have stolen the data of about 57 million Uber users and demanded a ransom payment from Uber, promising to delete the data in exchange. After confirming the accuracy of the hackers' claim, Sullivan arranged for Uber to pay the hackers $100,000 in bitcoin in December 2016. Sullivan's team classified the payment as a "bug bounty" — a monetary reward given to security researchers who report vulnerabilities or bugs in a company's software — rather than a ransomware payment and required the hackers to sign nondisclosure agreements, promising not to publicize the hack. Sullivan's team later identified the hackers in January 2017 and required them to execute new nondisclosure agreements in their true names.
Sullivan failed to disclose the 2016 data breach to the FTC, which was still investigating Uber's 2014 data breach, or to any other government body.
In the fall of 2017, Uber's new management, led by new CEO Dara Khosrowshahi, opened an investigation into the 2016 data breach and eventually fired Sullivan. In November 2017, Uber disclosed the 2016 breach to the FTC and the public.
The charges Sullivan was convicted of focused on his failure to disclose and efforts to conceal the 2016 breach. Upon Sullivan's conviction, U.S. Attorney Stephanie Hinds warned: "We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted."
Judge Orrick's Sentence and Caution for Cybersecurity Professionals
In a case closely followed by the cybersecurity industry, Judge Orrick meted out a lenient sentence of three years' probation, 200 hours of community service, and a $50,000 fine. Prosecutors had recommended a 15-month sentence, but Judge Orrick concluded that probation was warranted given the first-of-its-kind nature of the case. But Judge Orrick also cautioned that chief security officers should not expect similar leniency in the future: "If there are more, people should expect to spend time in custody, regardless of anything, and I hope everybody here recognizes that...."
Best Practices When Responding to Cybersecurity Breaches
Sullivan's conviction raises the stakes for information security professionals, who should continue educating themselves on the latest legal requirements and best practices in responding to a cybersecurity incident. We've written on this subject before here, here, and here — and below are a few key, high-level pointers:.
- First and foremost, the responsibility to respond to data breaches should not rest solely on the shoulders of cybersecurity professionals. Companies that collect and store PII from their users should proactively implement and update their incident response plan (IRP) — and make sure to follow the plan should an incident arise. Robust IRPs require coordination from various internal and external resources such as professionals from information security, human resources, public relations/communications, finance, and legal in the event of a security incident or ransomware attack.
- Second, having in-house and/or retained legal counsel lead investigations and responses to security incidents can ensure that legal obligations are met, help maintain the privileged nature of certain communications and work product, and assess legal exposure caused by the data breach. Legal counsel play a critical role in responding to data breaches, particularly as government investigations and litigations following such breaches has become increasingly common.
- Third, when appropriate, companies, working with their legal advisers, should timely notify proper law enforcement agencies and necessary third parties (or make a reasoned and supportable decision as to why such notice might not be required). Law enforcement (e.g., FBI, Secret Service, or state bureaus of investigation) can help companies understand their available options with respect to particular threat actors and how to prevent future incidents. Additionally, certain breach notification laws, like the EU's General Data Protection Regulation and some state statutes, require companies to notify the relevant regulator and individuals depending on the type of data at issue as well as whether the data was "acquired" or merely "accessed." Companies also may have contractual or statutory obligations to notify customers, vendors, and other government agencies of a security incident.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
