What Cos. Can Learn from Uber Breach Nonprosecution Deal
On July 22, six years after the data breach that caused a serious blow to Uber Technologies Inc.'s reputation, the U.S. Department of Justice announced that it had entered into a nonprosecution agreement with the ride-hailing app company.
The nonprosecution agreement finally resolves the long-running criminal investigation against Uber stemming from its former chief security officer's decision to pay the hackers a bug bounty in return for keeping quiet about the incident, and Uber's subsequent failure to report the incident.
Uber's 2016 breach stemmed from an attack in which hackers used stolen credentials to obtain a private access key, which the hackers then used to access and copy approximately 57 million records containing 600,000 drivers' license numbers.
At the time of the breach, the Federal Trade Commission was actively investigating Uber's data security practices following a smaller data breach in 2014.
The FTC's written questions required Uber to provide information about any unauthorized access to personal information. Not only did Uber fail to report the incident to the FTC in the investigation, it also represented that its new database backup files had been encrypted since August 2014. In fact, the database backup stolen by the hackers was created after August 2014 and was not encrypted.
It was a full year before the 2016 data breach came to light, and only after Uber had installed a new executive leadership team.
Under new management, Uber terminated its chief security officer and other involved personnel; notified its customers and regulatory authorities about the incident and cover-up; and provided affected customers with free credit monitoring and identity theft protection. Uber also invested substantial resources to restructure the company's compliance program.
Following Uber's self-disclosure in 2017, the company ended up paying significant fines to resolve matters with the FTC and the state attorneys general for all 50 states and the District of Columbia.
And in 2020 and 2021, the federal government charged Uber's former chief security officer, Joseph Sullivan, with obstruction of justice and wire fraud. Sullivan's trial will likely proceed later this year.
In this article, we discuss why the criminal authorities became involved in this data breach case, as well as factors that led the government not to prosecute Uber despite the damning fact pattern. Finally, we cover what companies in the private sector can take away from this long-running saga.
The DOJ's Cyber Playbook
The Criminal Division of the DOJ has long maintained that it should be seen as a partner to private companies that suffer cyberattacks. This desire has only strengthened in recent years.
In October 2021, for example, Deputy Attorney General Lisa Monaco went so far as to say that if companies were attacked and did not partner with law enforcement, it would be "bad for America."[1]
Similarly, the DOJ's July 2022 Comprehensive Cyber Review states that it is imperative for private sector entities to "come forward to provide investigators with enough information to investigate and disrupt the threat."[2]
Indeed, it would be very difficult for the DOJ to maintain its partnership rhetoric if companies were concerned that self-reporting could lead to the company's own conduct being criminally investigated.
Nevertheless, the DOJ could not let Uber's brazen conduct, including false statements to the FTC, go unnoticed.
Nonprosecution Agreement
Under the doctrine of respondeat superior, companies can be held criminally liable for the illegal acts of their directors, officers, employees and agents.
In this case, however, there were several factors that helped Uber avoid criminal charges. Among them were the actions of Uber's new executive management team to establish a strong tone from the top regarding ethics and compliance.
According to the nonprosecution agreement, this was manifested in new management's prompt investigation and disclosure of the 2016 incident; the investment of substantial resources to restructure and enhance Uber's compliance, legal and security functions; the hiring of experienced legal, ethics and compliance, information security and privacy leadership; and the termination of the individuals responsible for the company's initial response to the 2016 breach.
Also cited as positive factors were Uber's 2018 settlement agreement with the FTC and resolutions of civil litigation with the attorneys general of all 50 states and the District of Columbia for $148 million.
Pursuant to its agreement with the FTC, Uber agreed to maintain a comprehensive privacy program for 20 years and report to the FTC any incident the company reports to any other government agency relating to a breach of consumer information.
Similarly, Uber's settlement with the state attorneys general required Uber to create a corporate integrity program, and to implement and assess on a biennial basis a comprehensive information security program.
As a result of the commitments in those settlements and Uber's existing compliance program, the DOJ determined that an independent compliance monitor would be unnecessary.
Finally, the nonprosecution agreement noted that Uber fully cooperated with the government in its investigation of the matter and in the ongoing criminal case against Sullivan. The agreement requires Uber to continue to fully cooperate with the government's criminal prosecution of Sullivan, including by providing documents and witnesses.
Takeaways
Companies should take note of the factors listed in the nonprosecution agreement that reflect the positive actions of Uber's new management. For example, new executive leadership established a strong tone from the top and strengthened the company's culture of compliance and transparency.
Indeed, in the wake of a security incident, it is particularly important for companies to be able to show strong executive leadership on the privacy and cybersecurity front, including a board that takes an active role in privacy and cybersecurity issues.
The nonprosecution agreement also highlighted Uber's settlements with the FTC and the state attorneys general, including Uber's agreement to maintain a detailed privacy program, and to implement a comprehensive incident response and data breach notification plan.
Uber's remedial actions, including paying restitution and terminating those responsible, also weighed in favor of a decision not to bring criminal charges against the company.
Following a data breach or security incident, companies should take corrective action where appropriate, and make sure their policies and procedures continue to be adequate and effective.
Companies should at least annually test their incident response and data breach procedures using tabletop exercises to build incident response experience, hone information sharing and decision making, and further enhance a culture of cybersecurity awareness within the organization.
A company that becomes the victim of a cyberattack resulting in a data breach or material business disruption should notify law enforcement when appropriate, and should seek appropriate assistance to investigate and navigate the evolving landscape of regulatory reporting requirements.
It goes without saying that companies and their compliance, privacy and cybersecurity professionals should steer well clear of conduct that will grab the DOJ's attention following a data security incident.
While the DOJ is usually content to let other regulatory agencies handle inquiries regarding a company's proper compliance and disclosure, the department will pay attention to anything that resembles a false statement or cover-up. In data security as in life, the cover-up is generally worse than the crime.
"What Cos. Can Learn from Uber Breach Nonprosecution Deal," by Sharon R. Klein, Jennifer L. Achilles, and Alex C. Nisenbaum was published inĀ Law360 on August 25, 2022.
[1] Address at Criminal Division Cybersecurity Roundtable: The Evolving Cyber Threat Landscape (Oct. 20, 2021).
[2] U.S. Department of Justice, Comprehensive Cyber Review, July 2022, page 39, available here.