Uber’s Former chief security officer, Joe Sullivan, was found guilty this week of actively hiding a data breach from the US Federal Trade Commission (FTC) and concealing a felony. The case has reverberated through the security and tech worlds because it is seemingly the first time that an individual executive has faced criminal prosecution for charges related to a data breach against the executive’s company. As alarming as Sullivan’s conviction may be to some, gauging the fallout for security executives is anything but straightforward.
Chief security officers are sometimes wryly referred to as “chief scapegoat officers” or “chief sacrificial officers,” because the practical challenges of securing massive organizations are so great. It is all but inevitable that companies will suffer hacks and breaches, and CSOs preside over the aftermath. Many now worry that Sullivan’s conviction will make the already daunting role even less appealing to top talent. But the United States Department of Justice is positioning the case as an opportunity to set guardrails around what behavior is—and isn’t—acceptable in the fraught balancing act of corporate breach response.
“This definitely will have a chilling effect,” says Anthony Vance, a professor and researcher at Virginia Tech who focuses on how individuals and organizations can improve cybersecurity practices. “Most people aren’t clear about the nuance that is involved here, but more generally, it does show that someone could be held accountable and convicted for a data breach, which has never happened. It’s possible even if this is an extreme case.”
Sullivan’s trouble goes back to November 2016, when Uber suffered a data breach that compromised personal information of more than 57 million users, including drivers and passengers. The rideshare giant didn’t disclose the breach until November 2017, when its current chief executive officer, Dara Khosrowshahi, took over and fired Sullivan along with a company lawyer, Craig Clark. In 2018, Uber paid $148 million to settle with attorneys general across the United States for violating state data breach disclosure laws.
The delayed notification in itself isn’t what brought Sullivan into the Justice Department’s crosshairs, though. When Sullivan learned about the 2016 hack, he was already working with the FTC on its ongoing investigation into another, unrelated 2014 Uber data breach. Among other things, Sullivan gave a sworn deposition to the FTC about the incident and steps Uber had since taken to improve its digital security practices. 10 days after providing this testimony, he learned of the new data breach. The hackers attempted to extort the company by threatening to publish the data they had stolen if they didn’t receive payment. Sullivan is now convicted of spearheading the effort to cover up this breach by paying the hackers $100,000 through the company’s bug bounty program. As part of the deal, authorities say, he required the hackers to delete the stolen data and sign a nondisclosure agreement about the incident. These actions amounted to a failure to report a felony, according to the DOJ, and resulted in a “misprision of felony” charge. He was also charged in 2020 and convicted this week of obstruction of proceedings of the FTC for failing to amend his testimony to the agency about Uber’s security conditions once he learned of the 2016 breach.
“This is a unique case because there was that ongoing FTC investigation,” says Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues. “He had just given sworn testimony and was most certainly under a duty to further supplement and provide relevant information to the FTC. That’s how it works.”
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
