On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.
Uber hired Sullivan as its first Chief Security Officer (“CSO”) following a data breach in September 2014 related to the unauthorized access of approximately 50,000 consumers’ personal information, including their names and drivers’ license numbers. In the wake of the 2014 breach, the Federal Trade Commission (“FTC”) initiated an investigation into Uber’s data security program and practices. As CSO, Sullivan oversaw Uber’s response to federal regulators and provided testimony regarding Uber’s data security practices. During this testimony, Sullivan made specific representations about steps he claimed Uber had taken to keep customer data secure. However, in November 2016—mere days after testifying before the FTC in its ongoing investigation of the 2014 breach—hackers contacted Sullivan to inform him of a vulnerability they had discovered that permitted the extraction of a large volume of Uber’s data. The Company did not disclose the 2016 incident to FTC investigators, and entered into a consent decree with the FTC in August 2016.
According to the Complaint, while conducting an investigation into the incident two years later, Uber’s outside lawyers discovered Sullivan’s misconduct. In response, Uber disclosed the breach publicly, and to the FTC, in November 2017.
The failure to disclose the incident to the FTC during the FTC’s investigation was a critical fact, but perhaps not the most important fact, leading to the prosecution in this case. As properly stated in the jury instruction used in this case for the misprision offense: the “[m]ere failure to report a federal felony is not a crime. The defendant must also commit some affirmative act designed to conceal the fact that a federal felony has been committed. Such an act does not need to be made directly to an authority.” In a Complaint filed in August 2020, federal prosecutors alleged that instead of initiating steps to notify the affected users and relevant authorities as may be required by certain state data breach notification laws, and as Uber had done in 2014 when similar data had been impacted, Sullivan “instructed his team to keep knowledge of the 2016 Data Breach tightly controlled” while he quietly engaged in weeks-long backchanneling with the hackers responsible for it. The negotiations enabled Sullivan to secure nondisclosure agreements from the hackers—including a promise to destroy the data and attestations that they “did not take or store any data” in the first place—in exchange for $100,000. But, as prosecutors alleged, those attestations were false. The government charged that Sullivan improperly made the payment to hackers under a “bug bounty” program intended to incent white-hat hackers to identify security vulnerabilities proactively and in good faith, not to repay those who had in fact accessed and obtained large volumes of personal data in an attempt at extortion. Moreover, the government charged that Sullivan concealed certain details about the incident resulting in affirmative misrepresentations and misleading omissions when Sullivan briefed the new CEO about the incident. Not only did Sullivan’s actions conceal the data breach, the affirmative steps to cover up the crime by the hackers contributed to the ability of the hackers to potentially commit other hacks.
Sullivan’s prosecution and trial are notable given that the government put on evidence from one of the very hackers who initially had breached Uber’s systems along with testimony from Uber executives. Prosecutors from the U.S. Attorney’s Office for the Northern District of California charged two individuals, Vasile Mereacre and Brandon Glover, with conspiring to commit extortion involving computers. Both pled guilty in 2019, and Mereacre testified at trial, confirming that he and Glover had downloaded data including the names, email addresses, and phone numbers of 57 million users of the Uber application, along with 600,000 drivers’ license numbers.
In July 2022, the government also entered into a non-prosecution agreement with Uber for a term tied to entry of a final judgment in the prosecution against Sullivan, citing several factors weighing against corporate prosecution:
- A change in leadership in late 2017, and the new leadership team’s prompt investigation of the 2016 breach and its disclosure to the public and regulators;
- The investment of substantial resources to significantly restructure and enhance the company’s compliance, legal, and security functions;
- Uber’s agreement to maintain a comprehensive privacy program for 20 years and to report to the FTC any incident reported to other government agencies relating to unauthorized intrusion into individuals’ consumer information;
- Uber’s full cooperation with the U.S. Attorney’s Office for the Northern District of California, including its agreement to make current and former employees and executives available to the government; and
- The settlement of civil litigation with the attorneys general for all 50 States and the District of Columbia.
As noted in the DOJ’s press release, Uber’s full cooperation played an important role in this decision. According to Deputy Attorney General Lisa Monaco’s September 2022 revision to DOJ’s Corporate Enforcement Policy, a company is eligible to receive “full cooperation credit” from the DOJ when it has not only “promptly notified prosecutors of particularly relevant information once it was discovered,” but also “prioritized” the production of that information deemed “most relevant for assessing individual culpability.” The Monaco Memo emphasizes that a company may lose its “eligibility for cooperation credit”—in whole or in part—if it “delays its disclosure” of significant facts once it identifies them.
The failure to disclose the 2016 incident amidst the FTC’s investigation of Uber’s privacy and cybersecurity practices for a similar incident also lead to a revision of the FTC’s consent order to require Uber to notify the FTC of certain incidents involving unauthorized access to consumer information in the future. This revision also could subject the Company to civil penalties if it fails to notify the FTC of incidents in the future in accordance with the terms of the settlement.
This case serves as a cautionary tale for any corporation that runs a bug bounty program, and provides critical lessons for data breach response and cybersecurity governance. For example, companies may want to review their bug bounty programs to ensure proper governance and controls are in place. Companies should also consider their data breach notification obligations following any bug bounty report or cyber incident.