Thank you to BakerHostetler for the current legal insights –
Just my opinion, but my understanding of this case is that Joe Sullivan had specific directions from the then-CEO to cover up this breach and work out a negotiation with the bad guys for a significantly lower amount and to keep it all quiet. Why then, isn’t Kalanick on trial?
The last time I checked, the board and certain C-level officers of a corporation have and are bound to execute fiduciary responsibilities to protect and shelter from harm, shareholders, employees and other stakeholders. That fiduciary burden doesn’t extend to other C-level implied officers like the Chief Information Security Officer, Chief Revenue Officer or Chief Marketing Officer.
This feels like a Northern District Justice and FBI bruised ego play, “Technology companies in the Northern District of California collect and store vast amounts of data from users,” says U.S. Attorney Stephanie Hinds, the plaintiff bar in this case, “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. We will not tolerate the concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
It also offered a rare opportunity to punish a big tech company representing that Silicon Valley “bad boy” sector which has been alleged to have been running roughshod over the FTC and Justice rules for years.
Fiduciary Precedent
More than a decade ago in the seminal case Gantler v. Stephens, the Delaware Supreme Court clarified that officers of Delaware corporations owe the same fiduciary duties of care and loyalty that directors owe to the corporation and its stockholders.
While directors and officers owe the same fiduciary duties, they are not entitled to the same defenses. Delaware law permits a corporation to adopt a provision in its certificate of incorporation exculpating directors from money damages for breaches of the duty of care. Those provisions, which are routinely adopted by Delaware corporations, do not apply to corporate officers. In California, the law requires only three officers, the CEO, Treasurer and Secretary.
To adequately plead a breach of the duty of loyalty, a plaintiff must show that fiduciaries acted in a self-interested manner or in bad faith, which is a high bar to meet. By contrast, to plead a breach of the duty of care, a plaintiff must allege only that the fiduciaries acted in a grossly negligent manner, a far lower bar that makes care claims a prime target for stockholder plaintiffs. Even so, until recently, officer liability cases were still few and far between. The rare officer liability claim was typically brought in derivative litigation and involved either allegations of disloyal conduct for which neither a director nor an officer could be exculpated or conduct by an individual serving in both an officer and director role. Claims against an officer for breach of the duty of care were exceedingly rare.
Now, suddenly because the Northern District of California justice department was able to gather sufficient evidence and testimony from folks intimate with the breach (in change for a guarantee of immunity), to build a case on the theory of obstruction of justice and misprision of a felony, an otherwise competent, diligent, smart and experienced CISO to whom no fiduciary responsibility fell, is going to have to pay a price in jail.
Simply failing to disclose a data breach is not a crime. Obstructing a regulatory investigation into a cyber incident and actively concealing an incident from regulators seeking information about the incident or the company’s security posture and from trial testimony, it appears that Joe Sullivan is guilty of doing so in this instance.
Sullivan Chose the Worst Alternative
There were many ways to handle the breach but Sullivan chose one of the worst available and this choice should be the real lesson folks in the cybersecurity practitioner community should carefully heed. Without the active FTC investigation, there would have been no proceeding to obstruct.
Sullivan and his team paid the attackers not only to prevent the release of the stolen data but also to buy the hackers’ silence at a time when Uber was under investigation by the Federal Trade Commission for a separate but similar data breach that Uber discovered in September 2014 and reported to the FTC in February 2015. Sullivan was heavily involved in Uber’s response to and settlement negotiations regarding the FTC’s investigation of the 2014 breach. He had worked with Uber attorneys to draft responses to FTC interrogatories and data requests seeking information about the 2014 breach, any other security incidents Uber had detected and Uber’s security program. He had briefed the FTC staff on remediation and improvements to Uber’s security program that he inaccurately claimed had been completed and would prevent the reoccurrence of a breach targeting the same vulnerabilities. Just 10 days before learning of the 2016 incident, Sullivan had provided sworn testimony to FTC staff on the 2014 incident and Uber’s security program.
Sullivan and Uber paid the hackers through Uber’s formal bug bounty program. They did so in an attempt to craft a narrative that would allow them to claim that no reportable data breach of personal information had occurred.
The facts do not fit squarely into Uber’s bug bounty program parameters. For instance, the hackers were clearly attempting to extort payment by threatening to expose the breach and the contents of millions of personal records contained in a database backup they now possessed. They were seeking a payment that was much higher than the $10,000 cap Uber generally employed for the program.
Without knowing their true identities, Uber required them to sign a nondisclosure agreement drafted by Sullivan and Uber’s in-house lawyer that included a false “promise” that the hackers “did not take or store any data during or through [their] research.” In January 2017, an Uber security team member determined the true identities of two of the three hackers, located them, and got them to sign new versions of the false nondisclosure agreement in their true names.
Neither Sullivan nor anyone else involved in the incident response disclosed the 2016 incident to the FTC, the potentially affected individuals, or anyone at Uber other than the then-CEO, the in-house lawyer and others working under Sullivan’s close supervision. Instead, Sullivan continued to work with Uber’s legal team, including Uber’s then-general counsel, on the FTC investigation for another year without informing them of the 2016 incident.
He commented on Uber’s communications with the FTC in settlement negotiations and approved supplemental interrogatory responses that contained information he knew to be false. When he was later questioned about the incident by Uber’s current CEO and external lawyers, Sullivan misrepresented key facts to minimize his actions and blamed the in-house lawyer whom he supervised for failing to disclose the incident.
Disclosures and Diving for Cover
In November 2017, Uber’s new management team disclosed the 2016 incident publicly and to the FTC. The disclosure caused the FTC to withdraw a draft complaint and consent order that it had negotiated with Uber regarding the 2014 breach and its security program. A revised complaint and consent order was negotiated and approved by the FTC in October 2018 as part of a $148 million settlement between Uber, the FTC and all state attorneys general.
In October 2019, two of the hackers – Brandon Charles Glover and Vasile Mereacre – pled guilty to conspiracy to violate the Computer Fraud and Abuse Act in connection with the 2016 incident. Glover and Mereacre admitted that they had hacked into Uber’s AWS S3 bucket, stole the database backup containing millions of personal records and extorted Uber into paying $100,000 in exchange for their execution of the false nondisclosure agreement.
Obstruction and Misprision
Sullivan was not charged with simply failing to notify the government of a breach. Such a failure is not a federal crime. Instead, the jury found Sullivan guilty of two crimes: Obstruction of Proceedings before a Department or Agency of the United and Misprision of a Felony. As relevant here, the law makes it a crime to corruptly influence, obstruct or impede “the due and proper administration of the law” (or to “endeavor” to do so) in any proceeding pending before any U.S. government department or agency. It prescribes the concealment of a felony by those who have knowledge of it and do “not as soon as possible make known the same to some judge or other person in civil or military authority under the United States.”
On the obstruction charge, the jury found Sullivan guilty of obstructing the FTC investigation that started before and was still active during the 2016 incident. Sullivan’s conviction is inextricably tied to the FTC’s active investigation of Uber at the time of the 2016 incident and the vital role that Sullivan was playing in that investigation.
On the misprision (i.e., concealment) charge, the jury found Sullivan guilty of affirmatively acting to conceal the incident from the FTC when the agency’s staff sought information about such incidents and security controls from Uber. Emphasizing the active concealment element in its jury instructions, the court explained: “Mere failure to report a federal felony is not a crime. The defendant must also commit some affirmative act designed to conceal the fact that a federal felony has been committed.” The jury clearly believed that Sullivan concealed the hacking-facilitated extortion crime (i.e., the underlying felony) from the FTC by engaging in the actions outlined above.
Central to the finding, no doubt, was Sullivan and the immunized in-house lawyer’s drafting of a nondisclosure agreement that included a false “promise” that the hackers “did not take or store any data during or through [their] research.” Folks at Justice and the FBI don’t like being lied to. Note how Sullivan’s corporate council sold him down the river without a second thought. Trust no one.
Sullivan Case Takeaways
There are many issues and implications to unpack in the Sullivan case. We offer some key points that we noted at the first pass-through.
Avoid active concealment of information about security incidents and ransom payments. Regardless of what your boss tells you to do. He won’t go to jail. You will.
If your organization is under active investigation by a governmental agency, do not affirmatively attempt to conceal relevant, non-privileged information from the agency or those inside your organization who need to know (e.g., about security flaws or new incidents). You may need help evaluating and understanding the scope of the agency’s investigation and what affirmative obligations you have to provide information in response to open inquiries. If you need assistance, get it. In fact, now would be a good time to lawyer up. In the meantime, stay away from all elements of the investigation and trust no one. They aren’t going to jail. You may be instead.
Tell Everyone
If you are considering a ransom payment in response to data theft, encryption event or another criminal attack, consider these steps:
Notify law enforcement of criminal attacks, especially if you make payment. This is already a best practice and consistent with OFAC sanctions guidance. Notifying a federal law enforcement agency or other agency (e.g., CISA) of an incident likely eliminates the possibility of a misprision charge. Notify them all.
Evaluate and address your notice obligations under domestic and international breach notification laws, even if you pay. Failure to notify agencies under breach notification laws may not land you in jail but will create plenty of other headaches. Do not mistakenly assume that a ransom payment and an attacker’s “promise” to delete data eliminate your potential notice obligations. They won’t. Overcompensate and notify everyone (CISA, DHS, FTC, DOD, NSA, FBI, NSA, SEC, NIST, etc.).
As an information security professional, do not affirmatively try to conceal facts about a security incident from internal or external stakeholders. At a minimum, this means do not delete or alter data, logs or other evidence to conceal evidence of a crime; do not pay, bribe, threaten or extort others to conceal evidence of a crime; and do not create documents that you know contain false information. This is tempting to do but the answer to every question about who could find out and how it could go wrong is always, everyone and everything.
Bug Bounties
Ensure that you have a clear bug bounty policy in place that identifies authorized bug bounty activities and typical payments. Evaluate unusual bug bounty requests (or demands) carefully and never route extortionate or criminal activity through your bug bounty program.
Ensure that your internal bug bounty procedures include a mechanism to route activity that may be extortionate or that may qualify as a data breach to the appropriate personnel for review and action.
Use your bug bounty program to compensate legitimate security researchers reporting vulnerabilities in line with your program policies. Do not be too clever and try to use the bug bounty program to conceal evidence of a crime or a data breach. If you are not sure whether a particular activity is legitimate security research or criminal activity, ask a lawyer for help.
There are valid reasons to seek non-disclosure agreements with legitimate security researchers and non-disclosure agreements are still acceptable in connection with legitimate bug bounty activities. Your program policies and proper oversight should help ensure that these agreements are not used to conceal criminal activity.
Organizational Liability
The Sullivan case should be considered in the context of the whole-of-government trend in cybersecurity policy toward more robust disclosure and reporting obligations. Recent activity by the White House, FTC, SEC, Treasury, DOD, DOJ, Congress and others demonstrates that law enforcement agencies and regulators expect more disclosures about cybersecurity programs and incidents, particularly those involving cyber-extortion attacks that can inflict injury on multiple victims. The Sullivan case is one part of that trend.
The case also envelops the hallmarks of the DOJ’s revised white-collar policy on organizational liability for criminal conduct. That policy builds on prior “DAG Memos” by prioritizing individual accountability for corporate misconduct. It emphasizes that decisions on whether to prosecute an organization will rest heavily on past history of non-compliance, current compliance programming, and whether the organization provides timely and full self-disclosure of misconduct by individuals – including by waiving legal privilege.
Trust No One
Some of those policy positions are evident in the Sullivan case. Sullivan’s conduct became known only after new management took over at Uber. That new team investigated the conduct and decided to disclose it.
Most annoyingly, Uber secured a non-prosecution agreement less than two months before Sullivan’s trial began. The government built its case against Sullivan on the testimony of Uber’s senior executives and employees (current and former) protected by that non-prosecution agreement and the use of an array of incident response trackers, documents and communications that the government obtained from Uber and its cybersecurity service providers.
Without those witnesses and exhibits, there is no criminal case against Sullivan. Trust no one.
On the flip side, organizations should expect to see increased whistleblower activity around cybersecurity programs generally and incident response activities in particular. The DOJ’s Civil Cyber Fraud Initiative and related policies create significant incentives for employees and others to report organizational misconduct that may be otherwise undisclosed. These things often end badly.
Changes Required
Now, in our second week following the verdict, every story we can find in media coverage omits the fact that Sullivan told Uber’s then-chief executive, Travis Kalanick, about the breach within hours of learning about it himself, and that Kalanick approved Sullivan’s strategy. The company’s chief privacy lawyer, who was overseeing the response to the FTC, was informed as well and had no objections. Perhaps the members of the media also signed non-prosecution agreements.
But Sullivan was not on trial, found guilty and is now awaiting 5-8 years of potential jail time in sentencing because he made mistakes or exhibited poor judgment. He is on trial because he followed orders of his then boss, Kalanick and concocted a fairly smart scheme for a very low payout that resulted in the identification of two of the bad guys, both of whom have been arrested and because he didn’t announce any of what had happened publicly, nor report it to the FTC, FBI or Justice.
And also consciously and wittingly broke two laws, multiple times in the process.
Our nagging problem that doesn’t want to go away is the fiduciary violation by actual officers of Uber and the fact that they appear to be going unpunished. Joe Sullivan will get what he deserves but what will his co-conspirators get? And are non-prosecution agreements fair or allowable in all circumstances? Should they be?
The real fear among the CISO community is not so much having to navigate the legal ramifications of a similar breach, but rather the additional burden of carrying liability water for officers and directors who will betray them at Rubicon’s time.
That needs to change.