Focus Intellectual Property/Science & Technology Law Crime & Sacrifice: Criminal Liability for Concealing Data Breaches

BY CHARLES HOSCH, KATE MORRIS, AND RUSS PEARLMAN

In what may be a first, Uber Technology Inc.’s (Uber) former Chief Security Officer (CSO), Joseph Sullivan, was recently convicted of criminal obstruction of a Federal Trade Commission (FTC) investigation and misprision of felony (knowing of a felony yet taking active steps to conceal it), in connection with an attempted coverup of a 2016 data security breach. Was CSO Sullivan a villain, as the Department of Justice (DOJ) and the federal jury concluded he was, or was he merely a scapegoat?

Prior to Sullivan being hired, Uber was already under investigation by the FTC for a data breach that had occurred in 2014. Just 10 days after testifying to the FTC around that breach, hackers informed him that they had breached Uber anew. Uber’s staff quickly confirmed the fact of a new 2016 breach (ultimately impacting 57 million customers).

However, Sullivan did not report the new breach to the FTC. According to the DOJ’s press release after his conviction, Sullivan instead told his staff that news of the breach must not be disclosed. He also had the hackers sign a non-disclosure agreement, which falsely recited that they did not obtain any personal information; ignored warnings from his staff; paid the hackers $100,000 in bitcoin for their silence; and covered up that payment as a customary “bounty” for the hackers’ supposed “help” in finding a “bug” in Uber’s systems. Meanwhile, Sullivan continued to assist in the FTC investigation, never mentioning the 2016 breach, and instead took affirmative steps to conceal it. When he learned the hackers’ actual names in the following year, he caused them to execute new non-disclosure agreements under their real names, reaffirming their agreement to keep quiet.

It appears that Uber’s then-CEO and one or more of Uber’s lawyers may have learned about the 2016 breach about a month after Sullivan did, though the DOJ took pains to establish that Sullivan had never mentioned it to the Uber lawyers who were handling the FTC investigation. In any event, despite the pending FTC investigation, no Uber official took action. It was not until late in 2017 that Uber disclosed the 2016 breach to the FTC. That report came after a new CEO took office, ordered a new internal investigation of the 2016 breach, and discovered that Sullivan had also lied to him and had deleted the paragraph from a report prepared by one of Sullivan’s staff describing the large quantity of user data that had been compromised.

The whole affair is an object lesson in faulty corporate governance, with plenty of blame to go around for crimes that are not specific to cybersecurity. On his way to sentencing, Sullivan may feel like the “fall guy,” considering what other senior officials may have known.

Regardless, what lessons can be drawn? We think there are at least four:

Strong, determined corporate governance is at least as necessary as technical safeguards Data security regulations exist across every state, the U.S. government, industry sectors, and many foreign governments. Reasonable cybersecurity and prompt disclosure of breaches are now baseline requirements. Many authorities require more than that, and the trend is toward more prescriptive requirements. The SEC, for example, is moving to enhance and standardize its cybersecurity risk management, governance, and reporting rules. It has proposed rules regarding, among other things, the disclosure of a company’s policies and procedures for identifying and managing cybersecurity risks. The proposed regulations require cybersecurity governance, including the board of directors’ oversight role. The SEC is also contemplating management’s role, and relevant expertise, in assessing and managing cybersecurity risks and implementing related policies, procedures, and strategies.

Insist on a culture of security Chief Information Security Officers must have the active, energetic support of their companies’ cybersecurity and privacy programs. Officers should champion those programs to build a workforce culture that values cybersecurity and transparency, engages aggressively in training and data protection, and encourages “reporting up” on issues involving cybersecurity. It is important to have accurate and complete documented communications with the CEO and the board of directors about cybersecurity risks, priorities, and resources. Officers need to understand their companies’ risks and needs without hyperbole and exaggeration to avoid surprises and, ideally, formulate a cybersecurity plan that can endure successive CISOs.

Prioritize vigilance and active response, not only up to the levels required for regulatory compliance, but, if necessary, beyond what is minimally required to stay within industry norms. Incident response plans should be scrupulously followed, and involve all interested parties, including outside counsel and the board, if appropriate.

And with guidance from counsel, remember Norman Augustine’s timeless advice for responding to corporate crises, from his famous 1995 article in the Harvard Business Review on “Managing the Crisis You Tried to Prevent”: Tell the truth and tell it fast HN

Charles Hosch and Kate Morris are Co-Founding Members of Hosch & Morris, and Russ Pearlman is Of Counsel and serves as the Chief Technology Officer of the firm. They can be reached at charles@hoschmorris.com, kate@hoschmorris.com, and russ@ hoschmorris.com, respectively.