Earlier this month, former Uber CISO (and former federal cybercrime prosecutor) Joe Sullivan was convicted by a federal jury in San Francisco for concealing information related to a data breach at the ride-sharing app company from the Federal Trade Commission. The actual charges were that Sullivan, by paying for the hackers’ silence, obstructed a then-ongoing investigation of Uber by the FTC and that he “concealed and failed to report” a felony committed against Uber—the theft of personal data. In fact, there are literally dozens of “data breach reporting” statutes, rules, regulations and applicable case law that Uber may have violated when Sullivan agreed not to reveal the fact that personal information about Uber customers, drivers and others had been stolen by hackers. So, one lesson from the Uber case is that data breaches must be reported, right?
Not so fast.
You see, these data breach disclosure laws don’t specifically have criminal penalties. The government’s theory of criminal liability in the Sullivan case was that by concealing the reportable data breach (not simply not reporting it) Sullivan committed “misprison of a felony”—an ancient common law offense typically used against those who aid or abet a crime by “concealing and not reporting” the felony. In the Sullivan/Uber case, however, the statute was used to punish a victim of a crime for not reporting the fact that they had been victimized. One important aspect of this statute is that it can be used against CISOs who conceal and fail to report any cyber-related felony—not simply data breaches.
Since virtually any unauthorized access to, attempted damage to, or misuse of a computer or computer network is likely to constitute a felony violation of the Computer Fraud and Abuse Act (18 USC 1030), and may also violate various federal wiretap, stored communications or other fraud statutes, a CISO who “conceals and fails to report” any incident which might constitute a felony is subject to prosecution under this theory. Is this likely? No. But would I have predicted that the theory would be applied to the actions of Uber in not reporting the fact that they had been the victim of an attack? Also, no.
So, spam may be a felony, and deleting it may be “concealing and not reporting” it. Phishing attempts are attempted felonies in many cases. Again, deleting them may be “concealing and failing to report.” In particular, ransomware and extortionate, doxxing, revenge porn and similar attacks are all felonies and CISOs face potential criminal exposure for not reporting these incidents to the government if they also take any efforts to “conceal” these incidents.
Too Much Tuna
In some ways, the government has—through the Sullivan prosecution—created a nightmare scenario for itself. The FBI’s IC3 Internet Crime Complaint Center is already overwhelmed with reports of computer crimes and likely will not investigate an attack unless it has national security implications or results in a loss in the hundreds of thousands or millions of dollars. That’s simply being practical. The FBI is not interested in, nor do they have the resources to investigate every single computer crime felony—especially when you consider how expansive the definition of a “felony” can be.
However, to avoid potential criminal liability, the CISO is encouraged to report not just data breaches but any felony about which they become aware. Again, not reporting a felony security incident is not a crime—the misprison statute requires an act of concealment. But it’s easy to imagine an incident involving an employee, executive, contractor, etc. misusing a computer system in some way, and the company wishing them to go away quietly. Terminating the employee or the contractor with a standard NDA or even a “nondisparagement” clause may now constitute “concealing” the computer abuse—and voila! Misprison of a felony. Deleting spam or phishing attacks conceals them. Misprison.
This is a similar situation faced by financial services firms when the Treasury Department began threatening their compliance offices with administrative sanctions for failure to file suspicious activity reports (SARs). SARs were required to be reported whenever there was evidence of a crime by any insider or evidence of a crime by an outsider with certain dollar thresholds and other factors.
But the definition of “insider abuse” was such that a user who clicked on a phishing link might then trigger the required filing of a SAR—resulting in hundreds of thousands of possible SARs having to be filed. If banks failed to report they faced possible sanctions, even though nobody wanted them to report this kind of thing. The problem was “solved” when FiNCEN issued guidelines on what should—and what should not—be reported as cybercrimes. What is significant here is that the reporting requirements (and possible sanctions) go beyond reporting of data breaches.
As a result, a CISO and his/her employer has potential liability not only for failing to report reportable data breaches, but also potentially for concealing and not reporting ANY security incident or event.
The Obstruction Theory
The Sullivan prosecution went further. One of the government’s theories—accepted by the jury—was that Uber obstructed the FTC’s investigation of a prior data breach by concealing the fact that they had suffered a subsequent data breach. The theory goes that the FTC would have wanted to know about the subsequent breach as they were negotiating remedial efforts they were going to impose on Uber as a result of the first breach.
Note, however, that this theory of “obstruction” does two things. First, it imposes an affirmative obligation on entities subject to FTC enforcement actions to notify the commission about anything the commission thinks is material to their investigation. As such, it vastly expands the discovery and disclosure obligations of what amounts to a civil defendant. In fact, it imposes this requirement under penalty of criminal prosecution (although the FTC has no criminal enforcement authority) even after the underlying case is settled.
A typical FTC consent decree requires, in addition to a comprehensive and effective data security program, oversight of some kind by the FTC of that program—often for a period of twenty years. Under the Sullivan/Uber precedent, an entity subject to such a consent decree—or even one negotiating one—would have an affirmative duty to disclose any information from which the FTC might conclude that they were not living up to their obligations.
Significantly, again, this does not focus simply on data breaches. The duty to disclose would apply to any material (significant) failure of the required information security program, irrespective of whether this led to a compromise of data. As the sample consent decree against Cafe Press by the FTC indicates, these consent decrees typically track the language of the NIST guidelines in requiring comprehensive (and third-party audited) information security programs. Under the Uber/Sullivan precedent, not disclosing a failure to comply fully with such a program, or having a significant incident even if you are complying with the requirements may constitute obstruction of the FTC proceeding and result in criminal penalties. That’s a significant development.
The ‘Fraud’ Theory SEC
Failing to report a “material” or “significant” event—irrespective of whether it is a reportable data breach—can also support a criminal prosecution under U.S. securities law. SEC guidelines mandate that certain publicly traded companies report material cybersecurity “incidents”—not just breaches—on their 8K public filings. Significantly, this reporting is required “to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.” In other words, investors make stock purchase and trading decisions based on their perception of a company’s risk profile and cybersecurity position, and therefore not reporting material information about an incident to the investing public can induce a person to trade without the required information.
Federal securities fraud criminal statutes make it a criminal offense to engage in fraud in connection with the purchase and sale of securities, and both false statements to investors or failure to provide material information to investors may then result in criminal liability to the company—and the CISO. In short, if you ever have a situation where you think “Jeez—if we disclose this, our stock price will plummet!”—that’s probably when you must disclose it. Again, the decision whether disclosure is required (and whether the incident is material) typically rests with the general counsel, but Sullivan as CISO (he wore two hats within Uber) was criminally prosecuted for making a nondisclosure, even though the CEO of the company knew about the incident.
So there need not be a reportable data breach to trigger a duty to report.
The Other Fraud Theory: Privacy as Property
In the Sullivan prosecution, the United States Attorney’s Office trotted out another potentially troubling theory of criminal liability. The grand jury also indicted Sullivan on two counts of wire fraud under a statute that makes it a crime to use the interstate wires (here, the internet) in furtherance of a “scheme or artifice to defraud” persons “of money or property.”
The wire fraud theory rested on the concept that the privacy of the Uber customers, drivers and others which was the subject of the data breach constituted “money or property” and that Sullivan, on behalf of Uber, by not disclosing the breach, somehow deprived the data subjects of some “money or property.” In some sense, this is a “privacy as property” theory, in other senses, it is a “fraud on the market” theory—that Sullivan and Uber, by not disclosing to the public some significant event that could impact customers, “defrauded” them out of something.
This is more significant when a contract or other regulation imposes an actual duty to disclose a security incident. In such a case, the failure to disclose—which might simply then be seen as a breach of contract—could be transformed into a mail or wire fraud. The theory would be, by sending an invoice for goods or services without disclosing the fact that there had been an incident which the other party had a right to know about under contract, the invoicing party was “defrauding” the invoiced party out of “money or property.” A significant expansion of the wire fraud statute.
Even under the “privacy as property” theory, the theory is that Uber’s customers and drivers parted with their personal information based on representations that the data was—or would be kept—secure. The breach of the promise of security means that the data is obtained by “false pretenses”—or, criminal fraud.
The government dismissed the two wire fraud counts, but this does not mean that a subsequent prosecutor might not try to resurrect this theory of criminal liability.
Fraught with Peril
The Sullivan case has been described as a criminal failure to report a data breach and an attempt to conceal the fact of the breach. While this is undoubtedly true, the case is precedent for much more. It is a shot across the bow that the government will use the criminal law against CISOs whenever they believe that the company is not disclosing—to them or to the public—information that they think is important. This is not limited to breaches. It is not even limited to incidents. Misconfigurations, security failures, lack of authentication and, indeed, any significant deviation from the NIST guidelines could be a “reportable” event even if there is no “incident” or “breach.” Failure to report may land the CISO in jail. Of course, I am being a bit hyperbolic here—I doubt that rows of CISO will be frog marched to the hooskow. But the government has found another tool to try to force more comprehensive reporting (even it it doesn’t really want that reporting). One should prudently assume that the government will use this tool in the future.