The world of in-house legal and cybersecurity professionals was turned upside down this week when a San Francisco jury returned a stunning verdict in a criminal case against former Uber security chief Joseph Sullivan.
Sullivan is a friend and former colleague. We worked together at eBay, when I was the company’s legal director and he worked in trust and security. I was at the courthouse on Wednesday when the jury returned its verdict.
Sullivan was found guilty of two counts stemming from a 2016 breach, in which hackers stole the personal information of 57 million Uber app users. The hackers then contacted Sullivan via email demanding a ransom. He directed them to the bug bounty program established by the company, paid them $100,000 for information regarding the security breach, then led a company-wide effort to find the hackers and fix the hole.
After discussing the matter with Founding CEO Travis Kalanick, Sullivan took advice from Uber’s in-house privacy and security attorney and concluded there was no need to report the breach to authorities. . It was a tragic mistake with wide-ranging and serious implications for top lawyers and compliance and cybersecurity leaders in the business world.
Uber agreed in 2018 to pay $148 million to settle claims across the country related to the breach.
Now, Sullivan has been convicted of two counts — obstructing a government investigation and concealing the theft of personal data — which carry a maximum sentence of eight years in prison. Although he is likely to get a much lesser sentence, the conviction highlights the very real personal consequences that business executives face if hacks are not handled properly.
Subscribe to our Corporate lawyer newsletterfeaturing the news the General Counsel needs from Bloomberg Law.
It’s not just the data and privacy crowd that should pay attention. Now is the time for the General Counsel to bring the internal privacy, legal, and security leaders together in a room for a chat.
First, don’t be like Uber. Leaders must make a clear commitment that what happened in this case will not happen again in your company.
Sullivan had little support in making the decision to report and was let go by the company as the investigation unfolded, a fact that baffled the cybersecurity community. Kalanick, long gone from Uber, took no responsibility for the decision. Former Uber General Counsel Salle Yoo testified that she was unaware of this major flaw at the time, even though members of the legal team were working on the matter and many engineers were hired to fix the security flaw.
Craig Clark, the attorney for Uber who told Sullivan he didn’t have to report the violation, made an agreement from prosecutors. He got immunity in exchange for testifying against Sullivan.
Not to mention current Uber CEO Dara Khosrowshahi. Keen to show a clean break from Uber’s troubled ethical past with “Uber 2.0,” Khosrowshahi was only too happy to make an example of Sullivan by firing him and to show up at trial to testify.
It’s no wonder that in-house lawyers and cyber executives are extremely nervous about how they’ll be supported if they’re wrong, especially since there’s no clear guidance on how. scope of the network that prosecutors and regulators can launch following a hack.
There is comfort and better decision-making in the process and collaborative thinking. CGs should quickly establish a thorough process to follow in the wake of future breaches.
This process should involve all key players, including the General Counsel, Chief Compliance Officer, Chief Security Officer, and (for major breaches) even the CEO and Board of Directors. An outside attorney should also be consulted. All parties should be aware of how regulators and juries are likely to react to decisions to cover up material breaches, in a new business environment where secrets are frowned upon and transparency around consumer data is increasingly important. more expected.
All relevant officers must ensure that they are designated as officers entitled to coverage under the company’s directors’ and officers’ liability insurance plan.
For GCs, now is the time to revisit your company’s bug bounty program and practices. These programs are now widely and frequently used by businesses of all sizes to compensate people who report bugs related to security flaws and vulnerabilities.
The problem is that payouts under these programs often come with nondisclosure agreements that silence the party that reported the bug for the company. Prosecutors in the Sullivan case said Uber’s use of such an agreement showed it was trying to cover up the breach.
After Sullivan’s sentencing, companies are likely to take a closer look at whether disclosure is prudent for each new bug report.
It will be interesting to watch the post-trial motions and the appeal in the Sullivan case.
Like many others, I believe it is the company’s decision to report a violation, not a decision that should be made by one person. As such, any criminal case for failure to report such violations should be aimed at companies, not individual executives. If Uber could have turned to an established process that carefully engaged a wide variety of stakeholders following the breach, this case might not have targeted Sullivan, or might not have happened at all. .
In the meantime, a cloud hangs over the profession and may cause some of the best and brightest in the field to think twice before accepting a top internal security position. Sullivan is a former prosecutor who has won awards from law enforcement for his work fighting internet crime over the past two decades. his conviction now weighs heavily in the world of cybersecurity.
Rob Chestnut is the former General Counsel and Chief Ethics Officer at Airbnb. He spent more than a decade as a Justice Department prosecutor and later oversaw US legal operations at eBay. The author of “Intentional Integrity: How Smart Companies Can Lead an Ethical Revolution,” Rob is a consultant on legal and ethical issues.