In October 2022, a jury found Uber’s former chief security officer guilty of two crimes associated with a data breach at the transportation company. It is the first criminal conviction of a senior executive for obstructing an investigation into cybersecurity program compliance and concealing a cyber incident from regulators.
On October 5, 2022, a federal jury in the Northern District of California returned guilty verdicts against Joseph Sullivan on two counts: obstruction of justice and misprision of a felony. The charges stem from the role Sullivan played in responding to a 2016 data breach that compromised personal information from 57 million Uber passengers and drivers. Ironically, Sullivan once served as a federal cybercrime prosecutor for the very same US Attorney’s Office that earned the verdicts. In November 2016, hackers broke into Uber’s database and downloaded millions of personal records. At the time, Uber was already under investigation by the Federal Trade Commission for a data breach that had occurred in 2014 and was reported to the FTC in 2015. Sullivan, who was heavily involved in responding to the FTC investigation in his role as deputy general counsel, organized a ransom payment of $100,000 in Bitcoin, under the guise of a payment through Uber’s bug bounty program. Sullivan had provided testimony to the FTC just days before learning of the 2016 breach and was obliged to provide them information about the new breach, but he did not. He also failed to notify anyone other than Uber’s then (but now ousted) CEO, in-house lawyer, and others working under his supervision, while continuing to cooperate with the FTC’s investigation of the 2014 incident. In November 2017, after a new leadership team took over at Uber, they informed the FTC of the events, leading to charges against Sullivan. Sullivan was not charged with failure to notify the government of a breach, as that is a civil, not criminal violation. However, the jury found him guilty of obstructing the investigation of the 2014 breach and misprision (or concealment) of the 2016 breach. While a sentencing trial date has not yet been set, federal guidelines suggest a sentence between 24 and 57 months, although they are not binding.
Seen in light of recent regulatory enforcement trends, these convictions demonstrate that violations of privacy will be taken very seriously by law enforcement, regulators, and citizens alike. Not only are organizations responsible for privacy compliance in civil court, but individual actors, especially those in high-profile executive roles, have been served notice that they may be held criminally responsible for severe privacy violations.
This year, the US Administration has signaled their intention to treat compliance with cybersecurity and privacy laws seriously. The SEC and FTC have endorsed new rules where members of boards of privately-owned companies are required to demonstrate cybersecurity knowledge. The White House is negotiating a trans-Atlantic data sharing agreement with the EU and has said it will tighten the rules to prevent intrusion into domestic systems and personal data breaches, and the FTC has stated that “data tracking poses a national security risk.” It is unfortunate that it had to come to a prison sentence for a cybersecurity executive, but organizations must recognize this is not a scare tactic—cybersecurity and data protection are top priorities for US regulators. It signals that the US is making efforts to align with the EU data protection authorities when it comes to respecting individuals’ rights to privacy and protecting national security interests. While in the past “national security interests” were used to justify indiscriminate surveillance, the US now also recognizes the importance of protecting privacy rights. The Uber case shows that US regulators expect executives to behave in a transparent manner and cooperate with the investigators. The harsh punishment is not for an ordinary breach allowing the exfiltration of massive amounts of personal data of individuals, but rather or the extraordinary efforts taken to hide this breach from the public and the authorities. This case does not signal a monumental change in how regulators think about breach response and personal exposure to civil and criminal liability, rather it is a step forward in the maturity of enforcement actions by US regulatory bodies after the relatively lax attitude of the past two decades.
Creating and implementing a data breach response plan can ensure that you don’t make a critical misstep when you have an obligation to report to regulators and data subjects. Download this Incident & Breach Management Framework whitepaper from Exterro.
Download the PDF version of this Data Privacy Alert here.