Featured Expert Contributor, White Collar Crime and Corporate Compliance
Gregory A. Brower is Chief Global Compliance Officer for Wynn Resorts. He also serves on WLF Legal Policy Advisory Board and is a former U.S. Attorney. David Hale is a shareholder with Brownstein Hyatt Farber Schreck where his practice is focused on helping clients with privacy, cybersecurity, and related business issues. He previously served as Chief Privacy Officer at TD Ameritrade.
* * * *
In a very closely watched case, Uber Technologies, Inc.’s former Chief Information Officer (“CSO”1), Joseph Sullivan, was recently convicted of felony charges related to his handling of a data breach that victimized the company in 2016. This case apparently marks the first time a corporate CSO has been charged, let alone convicted, of a crime because of their action or inaction concerning a breach.
In 2014 Uber sustained a data breach that allowed hackers to access confidential information on thousands of drivers and customers. The Company’s internal investigation revealed the details of the breach and the company notified relevant regulators including the Federal Trade Commission (“FTC”), kicking off an investigation and eventual settlement. In the aftermath of this incident, in 2015 Uber formed a new security group and hired Sullivan, a former Assistant U.S. Attorney who had prosecuted cybercrimes in the Northern District of California, as its first CSO.
In November of 2016, Sullivan learned of another breach when he was contacted with information about a vulnerability and proof that the hackers had accessed Uber users’ personal information. In subsequent emails the hackers demanded payment of $100,000. Eventually, Uber paid the ransom under the auspices of its “bug bounty” program and the hackers each signed a non-disclosure agreement (“NDA”). NDAs were not a normal part of the program and, moreover, they contained inaccurate information about the details of the breach. Uber did not notify the FTC about this second breach, at the time of its discovery or eventual payment to the hackers, despite its then-ongoing investigation of the company’s data security.
In June of 2017, Uber’s founding CEO stepped down and the company named a new CEO. Within a couple of months, Sullivan briefed the new CEO on the 2016 breach, but, according to DOJ, this briefing omitted certain key details and misstated others. Following further investigation by Uber’s new leadership team, the true facts surrounding the 2016 breach emerged leading Uber to publicly disclose the details and to notify relevant state and federal agencies, including the U.S. Department of Justice (“DOJ”) and the FTC.
Uber’s notice to DOJ led to an investigation which led to the prosecution of the 2016 hackers, both of whom pled guilty. DOJ also charged Sullivan, alleging that he worked to hide the breach from the FTC and took steps to prevent the hackers from being caught. Uber cooperated in the investigation and eventually reached a non-prosecution agreement (“NPA”) with DOJ. However, the case against Sullivan went to trial resulting in a conviction.
Following the verdict, the U.S. Attorney for the Northern District of California warned companies of their responsibility to “protect data and to alert customers and appropriate authorities when such data is stolen by hackers.” This case wasn’t really about the usual illegal hacking activity that clearly violates federal law. As noted above, the hackers were prosecuted. The case marks the first time that DOJ has deemed criminal one key executive’s conduct in the context of a hacking incident. This should serve as a wake-up call to CSOs and others who operate on the front lines of managing their organization’s response to such incidents.
Some Lessons Learned
So what should a CSO dealing with the often ambiguous facts of a data incident do? First it is critical to understand the regulatory framework in which the company is operating. In this case, at the time of the 2016 breach, the FTC was already investigating Uber on the 2014 breach and, as a result, the Commission subjected Uber to enhanced reporting requirements.
Second, transparency is clearly key, whether internally, with regulators, or with the public. A more transparent response likely would have mitigated the damage this incident caused to Sullivan and Uber.
Third, informed executive (and board) buy-in and approval is critical. Here, there was apparently some awareness and agreement on the part of the CEO, but questions remain about exactly what he knew and why he didn’t inform the company’s general counsel or board of directors.
Fourth, like all senior leaders in a company, CSOs sit in a place of authority that potentially exposes them to liability when they act or fail to act in a way that causes real harm. While this case marks the first time a CSO has been charged with a crime for the way they handled a data breach, there are countless examples of senior corporate executives charged for concealing information from government investigators.
Finally, the Sullivan case should serve as a reminder to privacy, security, legal, compliance, and business executives of the need for a plan to evaluate and respond to cyber attacks. Every organization would be well-advised to: (1) devise a plan for compliance with all applicable laws and regulations; (2) implement that plan and train on it; (3) regularly engage in table-top exercises to ensure that the plan is workable in a variety of potential scenarios; and (4) actually follow the plan in the event of an actual cyber event. This case shows that inadequate preparation can result in not only economic loss, reputational harm, and civil liability, it can also lead to potential criminal exposure.