Background
On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”). While the DOJ and federal law enforcement have generally treated corporate hacking targets as victims in connection with data breaches, the charges against Sullivan reinforce that they will actively pursue any violations of federal law that are committed by entities or individuals during the course of responding to such incidents.
Overview
Uber was the victim of two separate data breaches in 2014 and 2016. In connection with the 2014 hack, Joseph Sullivan was involved in coordinating the company’s interactions with the FTC, which opened a civil investigation into Uber’s cybersecurity practices and representations. Among other things, Sullivan assisted in the preparation of responses to written questions from the FTC and personally provided sworn testimony relating to the incident.
In November 2016, while the FTC investigation was ongoing, hackers contacted Sullivan demanding that Uber pay a six-figure ransom payment. The hackers informed Sullivan that they had breached Uber’s security system and accessed the personally identifying information of approximately 57 million Uber users and drivers. The DOJ’s criminal complaint arises from its allegation that Sullivan proceeded to take “deliberate steps to conceal, deflect, and mislead the Federal Trade Commission” about this second breach.
Specifically, Sullivan allegedly learned of the breach less than two weeks after testifying to the FTC in connection with the 2014 hack. Rather than disclose the new security breach to the FTC, Sullivan allegedly deliberately misled the agency and obstructed its investigation. According to the DOJ, at Sullivan’s instruction, Uber entered into non-disclosure agreements (“NDAs”) with the hackers, each of which falsely stated that the hackers had not wrongfully taken or stored any Uber data. Sullivan further arranged for Uber to pay the hackers $100,000 allegedly under the pretense that they were being paid “bug bounties” for alerting Uber to a security vulnerability, even though the hackers’ actions violated the terms of the program and the amount paid was far in excess of the nominal cap of $10,000 for bounties. Sullivan also continued to interact with the FTC and, among other things, signed off on the company’s representations that it had been fully cooperative with the agency and had remediated its security issues.
When Uber appointed a new Chief Executive Officer in August of 2017, Sullivan allegedly provided him with a misleading summary of the 2016 hack that intentionally omitted details about the data the hackers had accessed. The two hackers were later charged with computer fraud conspiracy, and the complaint stated that both “chose to target and successfully hack other technology companies and their users’ data” allegedly after Sullivan failed to bring the Uber data breach to the attention of law enforcement.”
Sullivan is charged with obstruction of justice relating to the FTC’s investigation and misprision of a felony, based on his failure to notify and efforts to conceal the 2016 hack from the authorities.
Takeaway
When announcing the charges, the FBI issued a pointed warning: “[W]e hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
For corporate victims of hacking, the charges highlight that even though the DOJ may treat entities as victims for one purpose (i.e., as the target of the hack), it may nevertheless investigate the same companies and their executives if other federal crimes are committed during the course of an incident response. As another prominent example, the DOJ charged two individuals with insider trading based on the sale of Equifax stock shortly prior to the public disclosure of the material breach it suffered in 2017.
The Sullivan prosecution is perhaps an even more aggressive step by federal authorities in bringing charges under the obstruction and felony misprision statutes, the latter of which is a relatively rarely used statute in white-collar cases. As alleged, the DOJ’s case also appears to largely rely on Sullivan’s failures to disclose and acts of concealment relating to the 2016 incident rather than affirmative misrepresentations. In bringing the case, the DOJ is expressly sending the message that it expects companies and their executives to be cooperative and fully candid with law enforcement when reporting a data incident and interacting with any federal regulators.