Should a company executive face criminal charges after a data breach? That’s one of the questions opened up by the remarkable trial recently of Joe Sullivan, former head of cyber security at Uber, who was recently convicted of essentially hiding a hack from federal investigators. The case has people in cyber security divided and maybe a little bit scared. In this episode of Debugger in 10, Duke University Law Professor Shane Stansbury dives into the details.
The case is quite unique: Uber was already under investigation by the Federal Trade Commission for an earlier breach, so Sullivan’s failure to notify investigators — and his decision to pay the hackers for their silence instead — was a point of contention. Still, Stansbury told me the case is a signal to cyber executives that federal authorities want more transparency when hacks happen.
Stansbury also discusses why then-CEO Travis Kalanick didn’t face similar legal jeopardy. Additional analysis of the case can be found in this New York Times piece, written by Kashmir Hill and Kellen Browning. Click here to listen, or click on the play button below. A full transcript is below that.
Bob: Should a company executive face criminal charges after a data breach? That’s one of the questions opened up by the remarkable trial recently of Joe Sullivan, former head of cyber security at Uber, who was recently convicted of essentially hiding a hack from federal investigators. The case has people in cyber security divided and maybe a little bit. Here to dive into the details with me is Duke University Law Professor Shane Stansbury. Shane, give us the particulars of the case.
Shane Stansbury: Thanks, Bob. Yeah, the case is fascinating because this is the first time we’ve seen a CSO being prosecuted for, um, activities relating to a data breach. Uh, the case arose, uh, out of actually two data breaches. Uh, one occurred in 2014 and the other a couple of years later. Uh, so Joel Sullivan was in, uh, an interesting character, uh, in this story because, He was, uh, lauded by many in the security industry as the CSO of Uber.
He had come from Facebook and eBay and, and other places, and was, was quite respected in the industry. Uh, he came to Uber in, uh, 2015 and at that time, Uber was being, uh, Uh, uh, investigated by the FTC relating to a 2014 data breach, and, uh, Sullivan was involved in the responses to the FTC investigation. Uh, he testified under oath at the ftc.
He gave presentations, uh, about Uber’s data security practices. And so he was, um, you know, quite central to that invest. , Well, 10 u uh, 10 days later, uh, after he had given testimony at the ftc, uh, the second data breach occurred and it looked quite like the, uh, the other 2014 breach, but was different in scale.
I think it was, uh, 57 million Uber users and about 600,000 uh, drivers. And, uh, their driver’s license numbers were compromised. Um, and, uh, the essence of the case. Uh, after learning of that second breach, uh, Sullivan did not disclose that information to the FTC, which was still investigating the case. And, uh, they were trying to wrap up the investigation and, and, uh, and hammer out a settlement.
There are some details of the case that are, uh, that are intriguing and, and made it quite difficult for the government, given that Sullivan obviously wasn’t working alone. But the essences of the cases that he did hide this information. And then later it was discovered after Uber, uh, got new management and a new CEO.
An internal investigation followed at which point, uh, Uber came clean to the FTC which had obviously had to put the pause button on the prior settlement.
Sullivan ultimately was indicted and went to trial. And many in the industry were, were watching, uh, uh, very closely to see what happened.
It was not an easy case for the government, uh, by any stretch, but. Can’t say that I was surprised that they ultimately got a conviction.
Bob: So one of the defenses that the Sullivan team put forward was that they had steered these hackers towards a bug bounty program, and the hackers demanded a ransom of a hundred thousand dollars.
And, and they said, Well, you know, we don’t, we don’t pay ransom, but we do pay bug bounties for people who find vulnerabilities. And that’s pretty common in the industry. I is, is there a distinction between these two things and, and how would you explain why the jury found that Sullivan’s actions were criminal?
Shane Stansbury: Yeah, I think the, um, what was, uh, I, I should back up and, and, and say that Sullivan was indicted on two counts. One of those counts, uh, related to, uh, the obstruction of the FTC investigation. Uh, the other was, uh, account of, uh, what we call misprision of felony, um, which is essentially taking an affirmative act to hide, uh, a felony that has occurred. And I think particularly with that second count, uh, I think it was central that, um, I, I, I’m not obviously can’t stand in the shoes of the jury, but I’m sure that it was central, uh, to them that Sullivan and others had. Use that bug bounty program, uh, to hide, uh, the felony conduct by the hackers.
So, uh, as you mentioned, uh, there was $100,000 payment that was made to the hackers through that bounty program, which I think by its terms, was limited to a. $10,000 payment. Uh, and essentially what Sullivan and some other he’s working with was they said, Why don’t you sign this nondisclosure agreement?
We will give you the bounty. Um, and critically in that dis uh, that nondisclosure agreement, uh, it was represented that the hackers did not take or store any data from the. So I think that misrepresentation was central and I think that those, that set of facts distinguishes it from, uh, the typical bug bounty program that you might see in, in a typical corporation.
Bob: So while Sullivan was head of security at the time. He wasn’t the CEO of the company. That was Travis Kalanick. There’s a lot of discussion about why he wasn’t more liable. I mean, it seems farfetched that he wasn’t involved in, in this deal with the criminals. What do you think of that?
Shane Stansbury: Yeah, I, I, I think, uh, there are definitely people who are frustrated that Sullivan, uh, was the one, uh, indicted and that others weren’t. I mean, that, that’s not uncommon in criminal cases. Right. Uh, uh, you know, if, uh, a CFO of a bank is, is indicted and. The, the ceo, uh, is not, sometimes people will get frustrated well, that that other person should have been indicted to. Um, I, I think those are, um, those are legitimate questions to ask because Sullivan did have conversations with Kalanick during that time period we discussed, uh, he also critically had discussions, uh, with, uh, uh, Craig Clark, who was an in-house lawyer and was central to the government’s case. Uh, Craig Clark helped draft the nondisclosure agreement. He was given immunity by the government in exchange for his testimony.
It’s always hard, for those of us on the outside, to stand in the shoes of the government and to know what kind of proof they had against Kalanick or Clark or others. Um, all we know is what they were able to present against Sullivan. We do know that they needed cooperators. They needed Craig Clark’s testimony. Did they need Sullivan to flip? Uh, did they need his testimony against Kalanick? Maybe. And maybe that’s why they didn’t bring the case. We don’t know. So I, I think we have to, to sort of take the case for what it is. I can’t say that, uh, it was, um, you know, improperly brought or, uh, that I was surprised to see a conviction.
But I think it’s, it’s perfectly legitimate for people to ask why weren’t others, convicted as well, or indicted as well.
Bob: Oh, we know that there is this scourge of ransomware that’s still hitting corporations a around the country and around the world. And while the FBI’s public advice is not to pay the ransomware, we also know plenty of situations where companies pay the ransomware. I wonder if this case has implications for that ongoing activity in the ransomware world.
Shane Stansbury: Well, I think it’s certainly going to, uh, uh, cause companies to think about the steps that they need to take if they’re going to proceed with payments. One of the striking things about this case was it didn’t appear that, uh, there was, everyone was in the loop, so to speak, when the payment was being made to these hackers. So, uh, you know, I think many companies, or many CSOs standing in the shoes of Sullivan may have made a similar decision as to whether or not a payment should be. But that’s a separate question from whether or not you know, of, of how you go about the payment. Right. Sullivan, did not inform the general counsel that this was going on. There were a lot of people that probably should have been in the loop. It doesn’t look like Uber had particularly good practices, uh, in terms of managing risk, uh, when they engaged in these payments. It’s also unclear whether the board was, uh, you know, was, was informed.
So, Um, I think there’s a, a, you know, it, it’s certainly, um, going to have companies, I think, um, take a step back and think about putting proper processes in place for determining, you know, what threat thresholds should be met when payments are made, um, what procedures should be taken, who should be informed, and how they manage that risk if they decide to.
Bob: There are those who are calling this the very first cybersecurity perp walk. The first time that someone has been, uh, had to stand before a jury and their photograph is taken, is being criminally liable for something. What, what is the implications of this first perp walk?
Shane Stansbury: Yeah, I think, um, it’s an important case, but it’s also important not to read too much into it. In some ways this was a unique set of facts. It’s always a bad idea to actively conceal information about a security incident from a government agency when you’re actively being investigated about such an incident. And there were, uh, you know, I think the acts of conceal. In some ways were, were unique.
And so in that way, I don’t know that every, uh, CSO needs to sort of be on their heels. Uh, that said, I think that, uh, it does, you know, send a signal that, uh, cybersecurity professionals or officers, uh, you know, like anyone else, And if they engage in, you know, corporate misconduct, they can be held accountable.
I think it’s, it, it signals that, uh, that the government is, is looking to the, uh, the tech industry, like any other industry, like, uh, the financial industry, um, uh, or any, any other industry in which corporate malfeasance may be going on.
And I think it also is, um, important to realize that this is against a, a backdrop of government activity in recent years, that’s encouraging greater disclosure. So, um, I think recent activity by the White House, the ftc, s e c, Treasury and others, um, you see, uh, more regulations being proposed, more laws being proposed, uh, in which. Uh, the government is expecting more disclosures about cybersecurity programs and incidents, and I think as that evolves more will be expected of cybersecurity professionals.
Shane Stansbury: And so, uh, will we see more cases like this? Hard to know. Uh, but I think that, uh, it, it was hard. This was a hard case for the government to ignore given the circumstances.
Bob: Duke University Law Professor Shane Stansbury, thank very much for being here.