How Compliance Officers Can Avoid Personal Liability – Lessons from the Uber Data Breach
Just weeks before the end of 2022, data stolen from Uber Technologies Inc. was leaked online. The data came from multiple breaches of the embattled rideshare company, including from 2014, 2016, and September 2022.
The news of this latest data leak comes two months after the conviction of Joseph Sullivan, Uber’s former Chief Security Officer (CSO). United States Attorney Stephanie M. Hinds and FBI San Francisco Special Agent in Charge Robert K. Tripp announced on October 5, 2022 that Sullivan had been convicted by a federal grand jury for his attempts to cover-up the details of two separate breach incidents of Uber’s database in 2014 and 2016—breaches that affected tens of millions of Uber account holders.
The evidence at trial established that in 2014, Uber notified the Federal Trade Commission (FTC) that it had suffered a data breach that resulted in the unauthorized access of approximately 50,000 consumers’ personal information, including names and driver’s license numbers. As a result, the FTC’s Division of Privacy and Identity Protection launched an investigation into Uber’s data security program and practices.
Subsequently, Sullivan was hired as Uber’s CSO in April of 2015 and the evidence at trial established that he played a central role in responding to the FTC’s Civil Investigative Demand—received by Uber in May of 2015—to produce information regarding any other instances of unauthorized access to consumers’ personal information and the company’s security operations.
Sullivan supervised and participated in Uber’s response to this demand and in November of 2016 he testified under oath before the FTC regarding Uber’s data security program and practices—including the specific steps that he claimed Uber had taken to secure consumer data. Then, ten days later, Sullivan was informed that Uber had been hacked again when he received an email from the hackers themselves.
The hackers informed Sullivan that they had stolen significant user data and demanded a large ransom from Uber in exchange for deletion of the data. It was determined by Uber employees that these hackers had stolen personal data on approximately 57 million Uber users and the driver’s license numbers of 600,000 users. Sullivan also received knowledge that these same hackers were breaching the information systems of other corporations and demanding ransoms.
In response to learning of the hack’s details, Sullivan—instead of reporting this breach to the FTC—executed a “scheme” to prevent the FTC from discovering the incident. The evidence established that Sullivan told a lower-level employee that Uber “can’t let this get out,” instructed the employees to ensure information relating to the breach is “tightly controlled,” and that those outside of the security group were to be told that “this investigation does not exist.”
Further, in December of 2016, Sullivan paid the hackers $100,000 in bitcoin in exchange for receipt of a signed non-disclosure agreement that required the hackers to promise not to reveal the hack and (falsely) stated that the hackers did not take or store any data during the breach. At the time, the hackers refused to disclose their names, but Uber was able to identify them in January of 2017. Uber then required the hackers to execute new copies of the non-disclosure agreements.
During this process, the evidence at trial established that Sullivan continued to work with Uber’s general counsel regarding the remediation of the 2014 breach and failed to notify them of the 2016 incident at any point, even after the FTC and Uber agreed to enter into a preliminary settlement agreement in the summer of 2016.
When Uber came under new management in late 2017, Uber’s new CEO began investigating the 2016 data breach. In response to the new CEO’s inquiries, Sullivan stated that the hackers had only been paid after they were identified, and deleted parts of a draft summary prepared by a lower-level Uber employee stating that Uber users’ personal information had been breached. Sullivan also lied to Uber’s outside counsel tasked with investigating the incident.
In November of 2017, Uber’s new CEO discovered the true specifics of the 2016 incident and disclosed the incident to the public and to the FTC. When these hackers were prosecuted and charged on October 30, 2019 for these and other related actions, their guilty pleas evidenced that Sullivan assisted in concealing their hacks, which allowed them to commit a subsequent data breach on another corporate entity.
Sullivan was charged with obstructing justice and committing a misprision of felony—meaning that he had knowledge of a federal felony that had been committed and acted to conceal this felony. Sullivan will face a maximum of five and three years in prison for each respective charge.
The takeaway from Sullivan’s prosecution is simple: “don’t obstruct a government investigation through hush payments and cover-up actions, because that will not be tolerated,” said Principal Associate Deputy Attorney General Marshall Miller on December 6, 2022, at an American Bankers Association conference. Miller clarified in his remarks that Sullivan’s prosecution “stemmed from an extreme set of actions that represent an acute outlier from regular compliance practice,” and that compliance professionals won’t be held personally liable for corporate mistakes, so long as they follow the law to the letter:
“The most important message here is the simplest one, and let me repeat it for emphasis: the department is placing a new and enhanced premium on voluntary self-disclosure,” and that ““when companies do, they can expect to fare better in a clear and predictable way.”
That’s why Uber received a non-prosecution agreement following their discovery and disclosure of the wrongdoing, while Sullivan — who refused to disclose and acted to prevent disclosure — received a prison sentence.
According to Miller, the sections of the Department of Justice (DOJ) that prosecute corporate crimes “are in the process of preparing or updating voluntary self-disclosure policies that will be clear, public, and feature the same core tenet: Any company that self-discloses misconduct promptly will not be required to enter a guilty plea—absent aggravating factors—and will not be assessed a monitor, if it has fully cooperated, remediated and implemented and tested an effective compliance program.”
* * * * * * *
To read our other article discussing whether Meta’s change in Terms of Service for Facebook and Instagram users forced such users to give consent to Meta allowing processing of their personal data, click here.
To read our news alerts discussing: Massachusetts privacy bill, the FTC’s crackdown on dark patterns, the projected increase in biometric lawsuits, and predictive policing using loopholes to expand scopes of public surveillance, click here.
This week’s breach report covers breaches of the following companies: Saif Corporation, Twitter, Upper Peninsula Power Company (UPPCO), Consulate Healthcare, LastPass updates, and the Monarch of North Carolina. Click here to find out more.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
84 | Internet Archive Project Related to Russia’s War with Ukraine (With guest Mark Graham)
83 | Geofence Warrants and January 6: Constitutional and Privacy Issues (with guest Matthew Esworthy)
82 | A Look at the Consequences of the Uber and Twitter CISO Cases (with guest Ron Raether)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.