On August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber’s former chief security officer, with obstruction of justice and misprision of a felony in connection with an alleged attempted cover-up of a 2016 data breach. These are serious charges for which Mr. Sullivan has the presumption of innocence.
At the time of the 2016 data breach, Uber was being investigated by the US Federal Trade Commission (FTC) in connection with a prior data breach that occurred in 2014. According to the complaint, the hackers behind the 2016 breach stole a database containing the personal information of about 57 million Uber users and drivers. The hackers contacted Uber to inform the company of the attack and demanded payment in return for their silence. According to the complaint, Uber’s response was to attempt to recast the breach as a legitimate event under Uber’s “bug bounty” program and pay a bounty. An affidavit submitted with the complaint portrays a detailed story of deliberate steps undertaken by Mr. Sullivan to allegedly conceal the 2016 breach from the FTC, law enforcement and the public.
Contemporaneous with the filing of the complaint, the Department of Justice (DOJ) submitted a press release quoting US Attorney for the Northern District of California David L. Anderson:
“We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
The press release also quoted Federal Bureau of Investigation (FBI) Deputy Special Agent in Charge Craig Fair:
“Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
Collectively, the case and statements from the DOJ are probably a unicorn based on, if the facts as alleged are true, a case involving a deliberate cover-up of a data breach in the course of an active FTC investigation. However, many of the statements from the DOJ and the specific allegations in the complaint appear to have potentially far-reaching implications (for companies, their executives and cybersecurity professionals) that breach response counsel must seriously consider in future incidents.
A common question when responding to a ransomware or other cyberattack is whether and when to inform law enforcement. The criminal complaint has the potential to make this an even more difficult decision for future cyberattack victims. Further, while the alleged conduct at issue may seem particularly egregious, the DOJ’s statements could cause a blurring of the lines between what the government may contend is illegal concealment of a security incident and activities generally thought to be legitimate security incident risk and exposure mitigation. We explore these and other key takeaways from the criminal complaint in more detail below.[...]