When Failing to Report a Data Breach Leads to Criminal Charges for CSOs

After being found guilty of concealing a 2016 data breach at Uber, the company’s former CSO, Joe Sullivan, has been sentenced to three years of probation, even though prosecutors had recommended prison time.

The criminal case against Sullivan, a long-time and widely respected cybersecurity leader, demonstrates a potential legal risk that executives and companies face for failing to report data breaches. Sullivan, a former federal prosecutor, is the first U.S. corporate executive to be found guilty of crimes related to a data breach initiated by outsiders.

The case also demonstrates the difficult choices that cybersecurity executives sometimes face while dealing with attacks. Sullivan, with then Uber CEO Travis Kalanick’s knowledge, decided to pay hackers a “bug bounty” instead of reporting the breach to the U.S. Federal Trade Commission (FTC) while the agency was investigating Uber for a different security incident. Kalanick did not face criminal charges related to the hacker payment.

Many cybersecurity professionals had criticized the prosecution and conviction of Sullivan for obstruction of justice and hiding a felony. Many had opposed prison time for Sullivan, saying cybersecurity executives shouldn’t go to jail for making difficult decisions when responding to a data breach.

The job of CISO or CSO “often requires nuanced judgment calls in a largely unregulated environment, which has few explicit rules and regulations, including rules about disclosing data security incidents to the government,” a group of more than 50 people, many of them CISOs, wrote in a letter to the court. “We have many complex responsibilities that require us to act nimbly in time-sensitive, high stakes, and often unique situations.”

While the FTC was investigating Uber in 2016 for an earlier incident, Sullivan learned that personal data on about 600,000 Uber drivers and 57 million riders had been breached. Uber opted to pay the hackers responsible for the 2016 breach $100,000 via a bug bounty program after the hackers threatened to release the more than 57 million records.

Prosecutors recommended a 15-month prison sentence, but many cybersecurity professionals disagreed. Charging cybersecurity executives with crimes for decisions made at the behest of their CEOs and general counsels could make it more difficult to recruit qualified people to these jobs, some argued.

U.S. District Judge William Orrick received more than 180 letters, many of them from cybersecurity executives, praising Sullivan’s cybersecurity career and opposing a prison sentence. In addition to Uber, Sullivan has served as CSO at Cloudflare and Facebook, where he implemented a major child safety program. He also is a former cybercrime prosecutor in the U.S. Department of Justice.

Prosecutors acknowledged that Sullivan had a “spotless history” and is respected in the cybersecurity community.

Practices such as paying a ransom or “bug bounty” to attackers, instead of reporting a breach, were common in 2016, said the letter from CISOs and other cybersecurity professionals. “A priority in our jobs is to prevent customers’ data from leaking, which can lead to massive loss of private information, likely resulting in identity theft and other attacks.”

The case against Sullivan suggests that cybersecurity executives could face criminal or civil liability for decisions made by CEOs or general counsels, the letter added. Even without a prison sentence, the DOJ has succeeded in its efforts to “send a message” that the cybersecurity industry needs to better define the roles of CISOs and CSOs, the letter said.

“Joe’s case has had a huge impact on the cybersecurity community,” the CISOs wrote in the letter. “It has been the subject of frequent executive team conversations and panel discussions at industry seminars, and a significant driver of efforts to change policies and practices to err on the side of disclosure, even when the legal requirement to do so remains unsettled.”