Practical Guidance In-House Counsel Should Follow & Share with IT Staff Handling Data Breaches

On August 20, 2020, Uber’s former Chief Security Officer, Joe Sullivan, was charged by the U.S. Department of Justice (DOJ) with obstruction of justice and concealing a felony for allegedly trying to cover up a 2016 cyberattack that exposed the personal data of 57 million users and drivers and misleading the Federal Trade Commission (FTC) about the 2016 incident. Based on the criminal complaint filed against Sullivan, individuals and corporations can learn valuable lessons in responding to cyber intrusions by considering what Sullivan allegedly did wrong and what corporate officers should do when responding to a cyberattack. Below is an overview of Sullivan’s federal indictment and some key takeaways for consideration.

1.  Sullivan’s Alleged Obstruction of Justice

Sullivan is accused of lying to the FTC about the 2016 incident, which included a $100,000 payoff he allegedly arranged with two hackers that, per a witness, falsely stated they did not obtain or steal Uber's data pursuant to a non-disclosure agreement, according to the DOJ. As per the criminal complaint, "[t]his misrepresentation concealed the fact that the hackers had, in fact, stolen data, thereby falsely giving the incident the appearance of a typical bug bounty claim rather than a data breach.”

Uber initially referred to the payout internally as part of its "bug bounty" program, which incentivizes cybersecurity experts to report security flaws to the company. But the $100,000 sum was 10 times the program's award cap at the time, and an Uber executive later admitted to Congress that the payoff was akin to extortion. The payment and alleged cover-up came at the same time Uber was negotiating a settlement with the FTC over a similar 2014 incident in which hackers exfiltrated user data from one of Uber's cloud storage sites, according to the criminal complaint. Both the 2014 breach and the 2016 breach used the same method of access to the cloud storage sites through credentials stored in clear text on a hosting service platform.  

The charges stem from the fact that Sullivan allegedly intended to impede the FTC’s then-current investigation into the 2014 breach by not disclosing the new 2016 breach, including in supplemental interrogatories issued by the FTC after the breach that specifically required the disclosure of information about any breach. Further, five months after the 2016 breach, Sullivan reviewed a letter Uber planned to send to the FTC requesting that the FTC close its investigation into Uber. The letter claimed, among other things, that “the data security incidents at issue reflect no misdirected priorities, no failure to appreciate the risks, and no lack of security knowledge or care” and that Uber had implemented additional security measures regarding “credential protection and management and other aspects of data security.” This charge does not suggest that Sullivan would have had a duty to notify authorities had the 2014 breach investigation not been underway. 

Business records generated in the course of the response to the breach were used by the DOJ to show that Sullivan had allegedly instructed his team to keep knowledge of the 2016 breach tightly controlled. According to the criminal complaint, a witness also reported that Sullivan stated in a private conversation at the time "that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out.” In addition, Sullivan’s effort to cover up the issue were allegedly logged in an issue tracking system known as the “Preacher Central Tracker,” which included information, admitting that the access credentials had not been changed for years, and internal communications indicating Sullivan’s knowledge of the breach and attempt to keep it confidential.  

In addition, the indictment alleges that Sullivan misled Uber's new management team that took over in 2017 by removing certain details from a summary prepared by his team that would have illustrated the true scope of the breach prior to handing over the summary to management. One such omission was that the hackers had actually stolen data. Uber announced the data breach in November 2017 and stated that Sullivan had been fired for not disclosing the incident sooner.

The charges against Sullivan come after the hackers had plead guilty to conspiracy to commit extortion charges for their roles in the 2016 breach. In their plea agreements, the hackers admitted targeting and successfully hacking other companies after they extorted Uber for the $100,000 and Uber failed to bring the data 2016 breach to the attention of law enforcement. The cover-up allegedly prevented law enforcement from apprehending the hackers, which may have prevented the hacking of additional technology companies. 

Sullivan faces up to five years in prison if convicted on the obstruction charge, and up to three years in prison if convicted on the concealing a felony charge.  

2.  Key Takeaways

The DOJ’s complaint in this case sheds light on the degree of transparency and cooperation expected by the government, or at the very least what it will not tolerate. The following are preliminary takeaways and issues for consideration. 

• Disclose a Breach When You Are Legally Required To Do So. Breach disclosure is mandatory for companies holding personal information. Different states have different laws regarding the thresholds, timelines, and content of reporting. It is a mistake to consider such reporting optional. Many states have significant civil penalties for non-compliance. 
   
• Senior Executives Will Need to Be Mindful That Statements They Make (Or Fail to Update) Could Subject Them Individually to Criminal Liability. If a company reports an incident but chooses not to disclose particular aspects of that incident on the basis that they are not “material” or do not meet other notification thresholds, such as state breach notification obligations, there is a realistic possibility that such selective disclosure might be perceived as illegal concealment, which may result in personal criminal liability.
   
• Be Careful With Whom You Communicate. Some of the most active cyber threat actors in recent actions are Russian, North Korean, or Iranian. Many of these parties are subject to strict economic sanctions enforced by the U.S. Treasury Department’s Office of Foreign Assets Control, and some of them are under federal indictment as well. As a result, facilitating a payment to these cyber threat actors (whether in the form of a ransomware payment or other bounty payment) can expose a company to significant civil and criminal penalties, ranging anywhere from $300,000 to $2MM on top of fees that were paid and/or up to 20 years in prison. 
   
• Exercise Caution When Using Outside Third Parties to Facilitate Payments to Hackers. Using an outside third party to provide bounty hunter, dark web and ransomware/bitcoin services does not relieve any liability against an organization that hires such a vendor for illegal activities and responsible employees may be subject to criminal penalties for directing those vendors to pay threat actors or cover-up related data breaches. All bounty hunter, dark web, ransomware/bitcoin provider contracts should be reviewed to determine if there are any services that are illegal or whether such contract should be revised to address the issues mentioned above.
   
• Be Thoughtful about Communications Regarding an Incident. Any decision to communicate with an attacker should be a joint decision made by the company’s incident response team and not just by a single player on that team, such as the CISO, to ensure compliance with applicable legal requirements and company ethical priorities are met. 
   
• Maintain Documentation of the Incident Response Process and Ensure that it is Protected by Privilege. Incident response tracking information should be documented accurately and carefully. Such information may not be protected by attorney client privilege and become discoverable.
   
• Cooperate with Law Enforcement and Government Regulators. Companies should notify law enforcement if they have any information related to the identity of the cyber-attackers. Once an investigation into a breach is launched by a regulator or law enforcement, it is important to provide all information relevant to the investigation and to avoid any explicit misrepresentations or material omissions from any statements, even if the regulator does not fully appreciate the scope of the breach or if there are multiple related breaches.