Cybersecurity Lessons from the Trial of Uber’s Former Chief Security Officer

In 2016, Joseph Sullivan was chief security officer (CSO) at Uber when a data breach exposed the personal information of 57 million users. Earlier this month, after three weeks of trial, Sullivan was found guilty of concealing the data breach and obstructing the Federal Trade Commission’s (FTC) investigation. He now awaits sentencing, where he faces a maximum statutory penalty of five years in prison for the obstruction charge and a maximum of three years in prison for the misprision charge (failing to report a felony), along with a $250,000 fine for each charge.

This verdict serves as a cautionary tale of the personal, criminal liability cybersecurity professionals, in-house counsel and other company executives could face if their actions are deemed to “cover up” a data breach.

The main issue at trial was whether Sullivan paid a bug bounty or a ransom. Companies often turn to crowdsourcing vulnerabilities of their systems through bug bounty programs that incentivize security researchers to find vulnerabilities in exchange for a monetary reward. In fact, the FTC alleged in a 2022 enforcement action against CafePress that the company failed to provide reasonable security because it “failed to implement a process for receiving and addressing security vulnerability reports from third-party researchers.”

Bug bounty programs can go awry if there is disagreement between the researcher and company concerning the validity of the bug. To prove the vulnerability exists, security researchers may exploit the vulnerability, hold the personal data hostage, and demand the payment they feel entitled to -- which kind of feels like a ransom. The Department of Justice (DOJ) raised similar points around when good-faith research turns into malicious acts in its new policy on Computer Fraud and Abuse Act prosecutions. The distinction is critical because a malicious actor exfiltrating data is actually a data breach, which is required to be reported to the FTC.

In Sullivan, the DOJ argued that the CSO paid malicious hackers a large sum of money with the intention of disguising the data breach as a bug bounty to avoid FTC reporting obligations. The DOJ said that Sullivan executed a nondisclosure agreement (NDA) with the hackers to cover up the incident, rather than in the normal course of the bug bounty program, in which NDAs are common to prevent the researcher from publicizing the vulnerability before it’s patched.

In closing arguments, Sullivan’s lawyer challenged the notion of it being a cover-up by arguing that the blame lay with the numerous executives who allegedly knew about the breach, as well as Uber’s legal team, which allegedly failed to inform the FTC.

Cybersecurity professionals watched this trial closely given that CSOs often do not make the decision of whether to report an incident to the FTC, and it seems unlikely that a CSO would have made the unilateral decision to execute an NDA without consulting the legal department. Ultimately, however, evidence of how the security team responded to the breach, including internal documents and several NDAs, sealed the guilty verdict.

This verdict sets precedent for how the DOJ plans to respond to similar incidents going forward. After the verdict, the federal prosecutor stated, “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and their employers than protecting users.”

Cybersecurity professionals should pay close attention as creative solutions to avoid breach reporting could spell personal liability. As such, here are practical tips for ensuring that teams are protecting the company without exposing themselves to personal liability:

Parker Poe law clerk Alexandria Hill also contributed to this article.