Former DOJ cybercrime prosecutor and former Uber CISO Joe Sullivan will face a federal jury in San Francisco later this month on allegations related to his response to a data breach at the ride-sharing company. The federal government alleged that Sullivan, upon learning that the company had been breached (and with knowledge that prior Uber breaches were the subject of settlement talks with the Federal Trade Commission) decided to pay off the hackers for their silence through Uber’s “bug bounty” program and convinced the hackers to sign a nondisclosure agreement agreeing that they did not have access to any personally identifiable information (PII). All of this, the government alleged, was designed to conceal the fact that there had been a data breach, and to avoid California’s (and other states’) data breach disclosure laws that mandated disclosure of unauthorized access to certain kinds of PII.
But these data breach disclosure laws do not have criminal penalties. The most that can happen if you don’t report a reportable data breach is that the company can be fined. So, what’s the crime here?
In the case of Joe Sullivan, the prosecutors found three different crimes based on different legal theories.
First, the indictment alleges that by not reporting the data breach, Sullivan “obstructed” the FTC investigation. Specifically, the government alleges that Sullivan “did corruptly influence, obstruct, and impede, and endeavored to influence, obstruct, and impede, and any applicable combination, the due and proper administration of the law under which a pending proceeding was being had before a department or agency of the United States, namely, the FTC and its investigation into Uber’s data security program and practices” in violation of federal criminal law.
The problem here was that the FTC was investigating Uber’s prior data breaches—not the one that Sullivan allegedly concealed. No problem, said the prosecutor, since the FTC certainly would have wanted to know about the subsequent data breach in evaluating the adequacy of Uber’s security program and in negotiating an appropriate settlement with the company and mandating security compliance. Certainly, Uber did not want to affirmatively tell the FTC that they had had another data breach. But there was no legal requirement that Uber actually tell the FTC about the breach, as there is no current data breach disclosure law that mandates disclosure to the FTC. It’s not clear that the FTC ever asked Uber, nor would we expect them to. Essentially, the government is asserting that it is a crime to not tell an agency that is investigating your past activities about current activities that the investigator might deem relevant. Importantly, it was not the fact that Uber had a reportable data breach that triggered the obstruction charge, but the fact that they simply failed to inform the FTC about a security vulnerability that might have impacted the settlement of the previous breach—whether that vulnerability led to a breach or not.
The next charge is “misprision of a felony”—that is, that Sullivan “concealed and failed to report” a felony under federal law—that felony being the cyberattack on Uber. Importantly, Uber was, at least putatively, the “victim” of the crime and the prosecution seeks to impose a criminal sanction on Uber (and Sullivan) for not reporting the “crime”—not for not reporting the data breach. Thus, any time a company has been the victim of an actual or attempted break-in or “unauthorized access” to its systems and networks, and “conceals and fails to report” that activity, the CISO is subject to criminal prosecution. The key in the Uber case is that Sullivan not only didn’t report the breach, but he “concealed” the fact of the breach by paying off the attackers. But, conceivably, any act of concealment (including routine deletion of logs, etc.) which “conceals” the unauthorized access could be prosecuted as a felony.
Recently, the government added three separate wire fraud counts to the Sullivan indictment. Here, the government alleged that Sullivan’s actions in not reporting (or concealing) the fact of the breach operated as a “scheme or artifice to defraud” Uber drivers who paid an access fee to the company to use the platform. The indictment implied that, had the drivers known about the breach of their data, at least some of them might choose not to do business with the company, and therefore not to pay the access fee. Thus, the indictment asserted, the object of the fraud was the money the drivers were paying Uber.
When a company chooses not to report a potential data breach (and when they choose how to report) they weigh many factors including the seriousness of the breach, the mitigating factors, the impact on victims and the impact on the company. What is interesting about the government’s “fraud on victims” theory in Sullivan is the assumption that creating a “false confidence” in the security of an enterprise is a scheme or artifice to defraud those who rely on the false knowledge. Thus, if Amazon suffered a data breach, but didn’t report it, irrespective of whether my Amazon data is breached, I could allege that “but for” the failure to report, I would not have paid my annual Prime membership, and therefore, that I was “defrauded” out of my $125.
This theory is slightly different than the “personal data-as-property” theory. In post-breach civil lawsuits, courts often reject claims of damages resulting from breaches on the basis that the data subject suffered no actual or measurable harm from the breach. Fear of future harm or future identity fraud is often found to be insufficient to justify a lawsuit for breach of privacy. So victims often cannot sue when there has been an actual breach of their own personal data. The Sullivan case, while criminal, established an effective duty to the community to disclose prior data breaches (and possibly security vulnerabilities that did not result in a breach) if such knowledge might have impacted a customer’s (or employee’s) decision to part with funds. Those funds would be obtained by the company’s fraudulent failure to disclose the breach/vulnerability. Effectively, consumer confidence becomes part of a commodity. It becomes an “If I had known X, I would not have done business with you.”
The trial court rejected Sullivan’s motion to dismiss the fraud charges, and these too will be part of the trial later this month. We will see how a jury handles this case.