Uber Security Chief’s Conviction Raises Red Flags: Good Counsel

The world for in-house legal and cybersecurity professionals was turned upside down this week when a San Francisco jury returned a stunning verdict in a criminal case against Uber ex-security chief Joseph Sullivan.

Sullivan is a friend and former colleague. We worked together at eBay, when I was the company’s general counsel and he worked in trust and safety. I was at the courthouse Wednesday when the jury announced its verdict.

Sullivan was convicted on a pair of charges stemming from a 2016 breach, in which hackers stole the personal information of 57 million Uber app users. The hackers then contacted Sullivan by email to demand a ransom. He funneled them through the company’s established bug bounty program, paid them $100,000 for information regarding the security flaw, then led a companywide effort to find the hackers and fix the hole.

After discussing the matter with CEO founder Travis Kalanick, Sullivan followed the advice of Uber’s in-house privacy/security lawyer and concluded that it was not necessary to report the breach to authorities. That was a tragic mistake with wide ranging and serious implications for top lawyers and compliance and cybersecurity leaders across the business world.

Uber agreed in 2018 to pay $148 million to settle claims across the country related to the breach.

Now, Sullivan has been convicted on two counts—obstructing a government investigation and concealing the theft of personal data—which come with a maximum sentence of eight years in prison. Although he is likely to get a much less severe punishment, the conviction highlights the very real personal consequences facing corporate executives if hacks are not properly handled.

Sign up for our In-House Counsel newsletter, showcasing the news general counsel needs from Bloomberg Law.

It’s not just the data and privacy crowd that should be paying attention. Now is the time for general counsel to get in-house privacy, legal and security leaders into a room for a conversation.

First, don’t be like Uber. Executives need to make a clear commitment that what happened in this case will not happen at your company.

Sullivan had little support in making the reporting decision, and was abandoned by the company as the investigation unfolded, a fact that has unnerved the cybersecurity community. Kalanick, long gone from Uber, took no responsibility for the decision. Uber’s now former general counsel Salle Yoo testified that she was unaware of this major breach at the time, even though members of the legal team were working on the matter and numerous engineers were engaged with fixing the security hole.

Craig Clark, the Uber attorney who advised Sullivan that he didn’t have to report the breach, took a deal from prosecutors. He got immunity in exchange for testifying against Sullivan.

That’s not to mention Uber’s current CEO, Dara Khosrowshahi. Anxious to demonstrate a clear break from Uber’s troubled ethical past with “Uber 2.0,” Khosrowshahi was only too happy to make an example of Sullivan by firing him and showing up at the trial to testify.

It’s small wonder that in-house attorneys and cyber leaders may be extremely nervous about how they’ll be supported if they err, particularly as there is no clear guidance on how wide a net prosecutors and regulators may cast in the aftermath of a hack.

There’s comfort, and better decisionmaking, in process and collaborative thinking. GCs need to quickly establish a careful process to follow in the wake of future breaches.

That process has to involve all key players, including the general counsel, chief compliance officer, chief security officer and (for major breaches) even the CEO and the board. Outside counsel also should be consulted. All parties should be mindful of how regulators and juries are likely to react to decisions to conceal significant breaches, in a new business environment where secrets are frowned upon, and transparency around consumer data is increasingly the expectation.

All involved leaders should ensure that they are designated as officers entitled to coverage under the company’s directors and officers liability insurance plan.

For GCs, the time is now to again review your company’s bug bounty program and practices. These programs are now widely and frequently used by companies of all sizes to compensate individuals who report bugs relating to security exploits and vulnerabilities.

The problem is that payouts under these programs often come with non-disclosure agreements that silence the party that flagged the bug for the company. Prosecutors in the Sullivan case said Uber’s use of such an agreement proved that it was trying to conceal the breach.

After Sullivan’s conviction, companies are likely to consider more carefully whether a disclosure is prudent for each new bug report.

It will be interesting to watch post trial motions and the appeal in the Sullivan case.

I, like many others, believe that it is a company decision whether to report a breach, not one that should fairly fall on one person’s head. As such, any criminal cases for failure to report such breaches should be targeted at companies, not individual leaders. Had Uber been able to turn to an established process that carefully engaged a wide variety of stakeholders in the aftermath of the breach, this case might not have targeted Sullivan, or happened at all.

In the meantime, a cloud hangs over the profession and may lead some of the best and brightest in the field to think twice before taking a top in-house security job. Sullivan is a former prosecutor who earned accolades from law enforcement for work fighting internet crime over the last two decades; his conviction now looms large over the cybersecurity world.

Rob Chesnut is the former general counsel and chief ethics officer at Airbnb. He spent more than a decade as a Justice Department prosecutor and later oversaw US legal operations at eBay. The author of “Intentional Integrity: How Smart Companies Can Lead an Ethical Revolution,” Rob consults on legal and ethical issues.