What In-House Counsel Can Learn from Criminal Prosecution of Uber’s Former Chief Security Officer
Data breaches, while frequent in number and severity, remain big news events today. Even more newsworthy is when a corporate in-house attorney is criminally prosecuted in connection with his role in responding to a data breach event.
Such was the case for former Uber Chief Security Officer (CSO) Joseph Sullivan, who was recently indicted for obstruction of justice and misprision of a felony in connection with his alleged attempt to cover up a major hacking incident experienced by Uber in 2016.
The recent indictment of Sullivan is noteworthy—particularly so for in-house counsel, but for other corporate executives as well—as it demonstrates that in-house attorneys and other executives are not immune from criminal liability and can be targeted for criminal prosecution for actions taken in connection with corporate matters.
In September 2014, Uber suffered a significant data breach involving the unauthorized access to company data that was stored on the servers of its third-party cloud provider. After learning of the breach in February 2015, the Federal Trade Commission (FTC) informed Uber that it was evaluating Uber’s data security program and practices.
In November 2016—approximately 10 days after providing testimony to the FTC regarding the 2014 breach—Joseph Sullivan, Uber’s Chief Security Officer at the time, received an email from hackers informing him that Uber had suffered a second breach event. The 2016 security incident involved the unauthorized access and acquisition of an Uber database containing the sensitive personal information of approximately 57 million Uber users and drivers, including the drivers’ license numbers of approximately 600,000 people who drove for Uber. In addition, the perpetrators of the 2016 attack also demanded a six-figure payment in exchange for silence regarding the hack.
Rather than report the 2016 breach, Sullivan purportedly took deliberate steps to ensure that the breach did not become public knowledge, was concealed, and remained hidden from the FTC.
As part of this effort, Sullivan allegedly facilitated the payment of $100,000 in Bitcoin by Uber in December 2016 by funneling the payoff through a bug bounty program—a program in which a third-party intermediary arranges payment to non-malicious hackers who identify security issues, but do not actually compromise data. Sullivan also sought to have the hackers sign non-disclosure agreements (NDA) containing a false representation that the perpetrators did not take or store any data. And when asked by other Uber employees about the false promise, Sullivan is said to have insisted that the language stay in the NDAs.
Further, in the months following the 2016 breach, Sullivan also provided additional responses to FTC inquiries, but purportedly failed to inform the FTC of the subsequent security incident, even though he was aware that the FTC’s investigation was focused on data security.
Moreover, when a new CEO was brought on to lead Uber, Sullivan allegedly misrepresented the circumstances of the breach to the CEO. At the time, the FTC investigation was not yet fully resolved, and the FTC remained unaware of the 2016 breach event.
In September 2020, Sullivan was indicted in the Northern District of California for obstruction of justice and misprision of a felony as a result of his deliberate campaign to conceal, deflect, and mislead the FTC about the 2016 breach.
Analysis and Takeaways
The mishaps of Sullivan, a former federal prosecutor specializing in high-tech crime, and the resulting criminal indictment brought against him, provide several valuable lessons for in-house counsel and other corporate executives.
• In-House Counsel/Corporate Executives Are Not Immune to Criminal Liability
First and foremost, the Sullivan case demonstrates in clear terms that in-house counsel and other corporate executives are not immune from allegations of criminal liability, and can be targeted and prosecuted for actions (or omissions) that run afoul of the law.
The Sullivan indictment also highlights the need for in-house counsel—and all corporate executives for that matter—to be cognizant of the Responsible Corporate Officer doctrine (RCO doctrine), which provides that any corporate officer, who has the authority and responsibility to prevent violations of any health or welfare statute, may be held criminally liable for the underlying violations, regardless of the officer’s knowledge or intent. Significantly, liability can be imposed under the RCO doctrine merely by establishing that an officer possessed responsibility and authority either to prevent in the first instance, or promptly to correct, the violation complained of, and that the officer failed to do so.
Although it was not used to pursue an indictment against Uber’s former CSO, the RCO doctrine has been revived by the Department of Justice (DOJ) over the course of the last decade in an effort to boost compliance with federal laws, including, particularly, the Food, Drug, and Cosmetic Act (FDCA). In addition, in 2015 Deputy Attorney General Sally Yates issued what is commonly known as the “Yates Memo,” which outlined the DOJ’s intent to focus on the pursuit of executives for corporate misconduct. Importantly, the Yates Memo highlights the DOJ’s position that “[i]n large corporations where responsibility can be diffuse and decisions are made at various levels, it can be difficult to determine if someone possessed the knowledge and criminal intent necessary to establish their guilt beyond a reasonable doubt,” and that “[o]ne of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”
With the prevalence of security incidents today, it is not unreasonable to posit that the government may seek to extend the RCO doctrine to the data breach context, in an effort to seek greater accountability from corporate executives in responding to and reporting data compromise events.
• Failure to Report Properly a Data Breach or Other Security Incident May Lead to Criminal Liability
The Sullivan case also highlights the complexities and potential pitfalls that exist for in-house counsel and senior management in connection with reporting a security incident after a company experiences a breach event.
In particular, a failure by in-house counsel or other executives to disclose certain facts underlying a security incident on the basis that they are not “material” to the breach or do not satisfy other notice obligations, such as state data breach notification laws, poses the potential to be deemed by prosecutors as an illegal concealment of facts which, in turn, can be used to serve as the basis for both obstruction of justice and misprision of a felony charges.
From a broader perspective, this case also highlights the potential pitfalls of cooperating with law enforcement following a breach event. Generally, coordination with law enforcement can be an endeavor fraught with unforeseen consequences, as oftentimes law enforcement’s motives are not aligned with a company’s best interests. As the Sullivan case shows, working with law enforcement also may create problems based upon the amount of information that is shared with officials, which if deemed insufficient could result in criminal charges being brought against corporate executives involved in the organization’s response efforts.
Indeed, this particular shortcoming served as the basis for the DOJ’s failed prosecution of former GlaxoSmithKline (GSK) vice president and in-house attorney Lauren Stevens, who in 2010 was indicted (but later acquitted) for allegedly making false and misleading statements in connection with a U.S. Food and Drug Administration investigation into whether GSK improperly promoted its anti-depressant drug, Wellbutrin, for an unapproved use (weight loss).
Importantly, the Sullivan and Stevens incidents demonstrate why, as a general rule, it is recommended that corporate executives never speak directly with law enforcement or regulators, but instead should immediately reach out to experienced counsel who can assist in formulating a strategic response to any inquiries or requests that may have potential criminal implications, if not handled properly.
• Gray Area Exists Between Breach Response and Aiding Criminal Activity
In addition, the Sullivan case also showcases the gray area that exists between communicating with attackers as part of an organization’s breach response efforts and participating in the criminal activity itself.
In the specific context of payment demands—which often come as part of a ransomware attack—in-house counsel and corporate executives who communicate with cyber criminals clearly must set forth the company’s intentions of engaging in negotiations before beginning any type of dialogue with the perpetrators of an attack. In most instances, in-house attorneys should contact outside counsel who is experienced and well-versed in responding to breach events, to ensure compliance with the law and adherence to other best practices when communicating with hackers.
The indictment of Uber’s former CSO demonstrates the precarious position that in-house counsel and other corporate executives find themselves in when having to respond to a security incident. In addition to ensuring that the company complies with its breach notice requirements and other legal obligations, counsel must also be mindful that their actions may lead to individual criminal liability. And, from a broader perspective, the Sullivan prosecution serves as a clear warning that federal prosecutors may be looking to take a more aggressive stance against what they see as improper conduct by in-house counsel and corporate executives, especially as it relates to disclosures and communications with federal officials.
As such, moving forward, in-house counsel and corporate executives must ensure that they evaluate how the decisions they make in real-time may be interpreted or construed by prosecutors and regulators after the fact, before taking any major course of action, to avoid their finding themselves in the same position as Uber’s former CSO.
“What In-House Counsel Can Learn from Criminal Prosecution of Uber’s Former Chief Security Officer,” by Joseph G. Poluka and David J. Oberly was published in Corporate Counsel on February 18, 2021.
Reprinted with permission from the February 18, 2021, edition of Corporate Counsel © 2021 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. ALMReprints.com. 877-257-3382. firstname.lastname@example.org.
This article was reprinted in ALM Media's Law Journal Newsletters April 2021 edition.