The security world took notice when Uber’s former security chief was charged and convicted last year of covering up a data breach at the company.
Joe Sullivan, 54, was sentenced recently in U.S. District Court in San Francisco to 3 years of probation, 200 hours of community service and ordered to pay a $50,000 fine -- but he will not spend a day in prison. The sentence was handed down in California by the U.S. District Judge William H. Orrick after a jury rendered its guilty verdict in October.
Some question whether the sentencing amounts to a slap on the wrist due to the considerable threat data breaches are posing to the U.S. and countries around the world.
With the concern about liability for data breaches in the C-suites, there may be a movement by executives to protect themselves in employment contracts from having to shoulder the burden for legal expenses in cases like this.
“The no-prison sentencing decision is certainly a relief for many cybersecurity executives who were closely watching this unprecedented incident, says Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network. “The decision will be prudently regarded through the prism of rapidly growing personal liability of cybersecurity executives and board members for security incidents and data breaches.”
Avoiding ‘Debacles’
Kolochenko says most countries are enthusiastically developing new legislation that provides administrative, civil and even criminal sanctions for corporate management. But he notes that in Finland, a former CEO of a breached healthcare recently received a 3-month suspended sentence.
“To avoid such debacles, executives should take cybersecurity extremely seriously, establishing and enforcing a long-term data protection strategy within their organizations,” Kolochenko says.
Prosecutors said trial evidence established that while Sullivan was serving as chief security officer, Uber was under investigation by the Federal Trade Commission (FTC) as a result of a data breach Uber suffered in 2014.
The FTC’s Division of Privacy and Identity Protection, which oversees issues related to consumer privacy and information security, among other things, ultimately investigated both the nature and circumstances of that breach and Uber’s broader cybersecurity program.
The government says Sullivan was hired soon after the FTC investigation launched and he participated in Uber’s response to that investigation, including its efforts to comply with investigative demands issued by the FTC. Sullivan participated in a presentation to the FTC in March 2016 regarding Uber’s cybersecurity program and he testified under oath in November 2016, prosecutors say.
Ten days after sworn FTC testimony, prosecutors say Sullivan learned Uber had been hacked again, exploiting the same vulnerability that had led to the 2014 breach. Unlike the 2014 breach, data stolen in 2016 was “massive in scale,” prosecutors say, and included records associated with about 57 million Uber users and drivers. The government alleges that despite having testified regarding that same security vulnerability and related issues 10 days earlier, Sullivan “executed a scheme to prevent any knowledge of the breach from reaching the FTC.”
For example, Sullivan told a subordinate that they “can’t let this get out” and stated that the breach would “play very badly based on previous assertions” to the FTC.
Other Shoe Drops
Sullivan also arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, the government says.
Those contracts, drafted by Sullivan and a lawyer assigned to his team, falsely represented that the hackers did not take or store any data in their hack. Afterwards, prosecutors say, Sullivan continued to work with the Uber lawyers handling or overseeing the FTC investigation, including the General Counsel of Uber, but he withheld information about the breach from all of them.
Uber ultimately entered into a preliminary settlement with the FTC in summer 2016 without disclosing the 2016 data breach to the FTC. As part of the negotiations, Sullivan learned the FTC was relying on false information previously provided by Uber, but he failed to alert any of Uber’s lawyers or the FTC.
Uber’s new management began investigating facts surrounding the 2016 data breach the following year. According to prosecutors, when asked by Uber’s new CEO what had happened, Sullivan lied about the circumstances of the breach, including by telling the CEO that the hackers did not steal any data.
Sullivan lied again to Uber’s outside lawyers who were investigating the incident. The truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly and to the FTC in 2017.
In the federal government’s sentencing memo to the court, prosecutors argued that Sullivan was a wealthy and connected person and there could not be two systems of justice for the privileged and the rest of society.
Driving a Wedge
Prosecutors in their April pre-sentencing memo said the case isn’t about undisputed merits of bug bounty programs, or difficult decisions made every day by cybersecurity professionals, or a good-faith error made by Sullivan during a stressful security incident.
“Indeed, while the case arose in the context of cybersecurity incident, it is not ultimately about the details or merits of cybersecurity practices. Rather, it is about a powerful person’s intentional exploitation of his position to cover up a deeply embarrassing event — an event that also happened to be a crime — over the span of nearly 12 months.”
The government described Sullivan as a senior corporate executive with years of experience in both cybersecurity and the criminal justice system who opted to, “harness the resources of a multinational corporation to silence witnesses, generated fraudulent corporate paperwork, ratified false statements to the FTC and lied to Uber’s new CEO and internal investigators.
“The government does not dispute any of (Sullivan’s) good deeds or general moral qualities as reflected in the many letters submitted on his behalf. Those same moral qualities only underscore that (Sullivan) knew how wrong his conduct was, and the case stands as shocking proof that even such a revered figure in his community will resort to criminal activity when his reputation is on the line and he thinks no one is watching.”
Why Prison Needed
Prosecutors noted that was as “very specific need” in the case for a prison sentence, asserting that one theme emerging in letters on his behalf is that many in the cybersecurity industry “are not aware of the egregious conduct (Sullivan) has been proved guilty off — the witness tampering, the fraudulent corporate paperwork, the many lies.
“Letter after letter … suggests that this prosecution reflects simple second-guessing of a difficult decision, and that (Sullivan) is nothing more than a scapegoat, and that neither the government nor the jury really understands cybersecurity. This false narrative has the real potential to drive a wedge between the cybersecurity community and law enforcement at precisely a time when our country is facing an unprecedented array of cyber threats that require those two communities to work hand-in-glove.”
Protective Clauses Needed?
But some critics note former Uber CEO Travis Kalanick was never charged by the U.S. Department of Justice in connection with the breach. The Washington Post reported that even Orrick wondered aloud about that during sentencing, stating Kalanick was equally responsible for the offenses.
But Orrick also said he was influenced by the nature of the case and future offenders coming before him would be jailed, “even if they were the pope,” the Post reported.
There have been some developments in terms of executives being required to take specific actions after data breaches.
The Federal Trade Commission finalized an order in January with online alcohol marketplace Drizly and its CEO over security failures by the company that the FTC said led to a data breach exposing the personal information of about 2.5 million consumers.
According to an FTC complaint first announced in October 2022, Drizly and its CEO James Cory Rellas were alerted to security vulnerabilities two years prior to the 2020 breach but didn’t take steps to protect consumers’ data from hackers despite publicly claiming to have appropriate security protections in place.
The FTC said Drizly failed to implement basic security measures, stored critical database information on an unsecured platform, and neglected to monitor security threats.
The FTC’s order requires Drizly to implement a comprehensive information security program and establish security safeguards to protect against the types of security incidents outlined in its complaint.
In addition to the requirements imposed on Drizly, Rellas must implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.
Kolochenko believes the industry will likely see a surging number of civil actions and criminal prosecutions of executives for data breaches.
He says regular external and internal audits must be conducted by companies to timely detect possible deficiencies and to ensure continuous improvement of their cyber resilience.
“All activities should be properly documented and be available for audit or inspection to demonstrate diligence, compliance and due care,” Kolochenko says.
“Additionally, executives may consider incorporating protective clauses in their employment contracts to cover their personal litigation expenses by the employer when sued by third parties or prosecuted by state authorities.”
John Dobberstein is managing editor of SecurityInfoWatch.com and oversees all content creation for the website. Dobberstein continues a 34-year decorated journalism career that has included stops at a variety of newspapers and B2B magazines.