Rob Chesnut is the former general counsel and chief ethics officer at Airbnb. He spent more than a decade as a Justice Department prosecutor and later oversaw US legal operations at eBay. As the author of “Intentional Integrity: How Smart Companies Can Lead an Ethical Revolution,” Rob consults on legal and ethical issues.
Rob wrote this piece in the aftermath of the FTC investigation into and federal justice verdict on Joe Sullivan and the now infamous Uber breach.
The world for in-house legal and cybersecurity professionals was turned upside down this month when a San Francisco jury returned a stunning verdict in a criminal case against Uber ex-security chief Joseph Sullivan.
Sullivan is a friend and former colleague. We worked together at eBay when I was the company’s general counsel and he worked in trust and safety. I was at the courthouse Wednesday when the jury announced its verdict.
Crime? Being a CISO
Sullivan was convicted on a pair of charges stemming from a 2016 breach, in which hackers stole the personal information of 57 million Uber app users. The hackers then contacted Sullivan by email to demand a ransom. He funneled them through the company’s established bug bounty program, paid them $100,000 for information regarding the security flaw, then led a companywide effort to find the hackers and fix the hole.
After discussing the matter with CEO founder Travis Kalanick, Sullivan followed the advice of Uber’s in-house privacy/security lawyer and concluded that it was not necessary to report the breach to authorities. That was a tragic mistake with wide-ranging and serious implications for top lawyers and compliance and cybersecurity leaders across the business world.
Uber agreed in 2018 to pay $148 million to settle claims across the country related to the breach.
Now, Sullivan has been convicted on two counts—obstructing a government investigation and concealing the theft of personal data—which come with a maximum sentence of eight years in prison. Although he is likely to get a much less severe punishment, the conviction highlights the very real personal consequences facing corporate executives if hacks are not properly handled.
It’s not just the data and privacy crowd that should be paying attention. Now is the time for the general counsel to get in-house privacy, legal and security leaders into a room for a conversation.
Don’t Be Uber
First, don’t be like Uber. Executives need to make a clear commitment that what happened in this case will not happen at your company.
Sullivan had little support in making the reporting decision and was abandoned by the company as the investigation unfolded, a fact that has unnerved the cybersecurity community. Kalanick, long gone from Uber, took no responsibility for the decision. Uber’s now former general counsel Salle Yoo claimed that she was unaware of this major breach at the time, even though members of her legal team were working on the matter and numerous engineers were engaged in fixing the security hole.
Then she slipped out the back with a $60 million severance package in exchange for her incredible testimony.
Craig Clark, the Uber attorney who advised Sullivan that he didn’t have to report the breach, took a deal from prosecutors. He got immunity in exchange for testifying against Sullivan.
That’s not to mention Uber’s current CEO, Dara Khosrowshahi. Anxious to demonstrate a clear break from Uber’s troubled ethical past with “Uber 2.0,” Khosrowshahi was only too happy to make an example of Sullivan by firing him and showing up at the trial to testify.
It’s a small wonder that in-house attorneys and cyber leaders may be extremely nervous about how they’ll be supported if they err, particularly as there is no clear guidance on how wide net prosecutors and regulators may cast in the aftermath of a hack.
Process and Collaboration; Tell Everyone You Can Find
There’s comfort and better decision-making, in process and collaborative thinking. GCs need to quickly establish a careful process to follow in the wake of future breaches.
That process has to involve all key players, including the general counsel, chief compliance officer, chief security officer and (for major breaches) even and most especially, the CEO and the board. Outside counsel needs also to be consulted. All parties should be mindful of how regulators and juries are likely to react to decisions to conceal significant breaches, in a new business environment where secrets are frowned upon, and transparency around consumer data is increasingly the expectation.
All involved leaders should ensure that they are designated as officers entitled to coverage under the company’s director and officer liability insurance plan. Failing that and caught with an admissible interview, trade it for immunity and then talk.
For GCs, the time is now to again review your company’s bug bounty program and practices. These programs are now widely and frequently used by companies of all sizes to compensate individuals who report bugs relating to security exploits and vulnerabilities.
Target the Company, not the CISO
The problem is that payouts under these programs often come with non-disclosure agreements that silence the party that flagged the bug for the company. Prosecutors in the Sullivan case said Uber’s use of such an agreement proved that it was trying to conceal the breach.
After Sullivan’s conviction, companies are likely to consider more carefully whether a disclosure is prudent for each new bug report.
It will be interesting to watch post-trial motions and the appeal in the Sullivan case.
I, like many others, believe that it is a company’s decision whether to report a breach, not one that should fairly fall on one person’s head. As such, any criminal cases for failure to report such breaches should be targeted at companies, not individual leaders. Had Uber been able to turn to an established process that carefully engaged a wide variety of stakeholders in the aftermath of the breach, this case might not have targeted Sullivan or happened at all.
In the meantime, a cloud hangs over the profession and may lead some of the best and brightest in the field to think twice before taking a top in-house security job. Sullivan is a former prosecutor who earned accolades from law enforcement for work fighting internet crime over the last two decades; his conviction now looms large over the cybersecurity world.
Regardless of sentencing, the industry has a new challenge and one it didn’t need: Who will be willing to take that top job? If the sentencing is freighted with a message, this case will have created an even bigger challenge: Who will be willing to even work in the field? Miss Khan, in her righteous enthusiasm for ‘justice’ just created a huge dark hole into which any progress we’ve made over the last few years has disappeared. Who will defend our critical assets and IP now?
Was today’s security walkout at Twitter a protest at Musk or a hat tip to the FTC in the wake of the Sullivan verdict? Polls on LinkedIn run favorably toward the option of ‘never in a million years when asked about whether anyone would take the CISO job at Twitter. Is that Musk, or is it the 8 years of jail time that Sullivan now faces for doing his job?
When companies like Facebook are banned from acquisitions of 12-person startups, which VCs will invest in innovation? What will we tell the LPs when they want to know where their capital went?
Maybe none of that matters to Khan, but it matters to me. It also matters to the tireless leaders and warriors who take the fight to the enemy every day. And it’s going to matter to my kids, and your kids as we continue marching backward, ill-equipped and unable to withstand enemy fire, without a next-generation counter-punch of appropriate magnitude.
It’s all well, good and holy to go to bed knowing that you have not sold out, but when we lose this cyberwar we are in, relinquish our freedom to the Chinese and abolish the Federal Trade Commission in favor of the PRC’s National Development and Reform Commission, will miss Khan still be sleeping soundly?