The Fallout From the First Trial of a Corporate Executive for ‘Covering Up’ a Data Breach

Uber’s former chief security officer (CSO), Joe Sullivan, was found guilty on Oct. 5 of obstruction of justice (18 U.S.C. § 1505) and misprision of a felony (18 U.S.C. § 4) based on what the Justice Department called his “attempted cover-up of a 2016 hack of Uber.” 

In 2016, while the Federal Trade Commission (FTC) was investigating Uber for an earlier incident, Sullivan learned of another hacking incident that affected the Uber accounts of more than 57 million riders and drivers. In its prosecution of Sullivan, the government alleged that, rather than disclose the incident to the FTC, Uber’s former CSO took steps to hide it from the government, as well as from many of his colleagues at Uber. Most notably, in his alleged attempt to cover up the incident, Sullivan also arranged a $100,000 payment to the hackers through Uber’s “bug bounty” program in exchange for their signatures on a nondisclosure agreement (NDA) promising not to reveal the incident and falsely stating that they did not exfiltrate sensitive customer information. 

This case—which marks the first time a company executive faced criminal prosecution over their response to a data incident—is troubling. Most notably, it blurs the line between “covering up” a data incident and merely declining to report it. At the time of the CSO’s actions, there was no generally applicable statute requiring companies to disclose data security incidents to the federal government. And while President Biden recently signed legislation requiring critical infrastructure companies to report certain data security incidents to the government, that statute will not take effect until the Department of Homeland Security finalizes implementing regulations, likely in 2025. 

Nonetheless, comments from Justice Department leadership in the wake of the trial read as though there is already an established duty to disclose such incidents to the federal government such that any nondisclosure is a “cover-up.” The U.S. Attorney for the Northern District of California, for instance, stated that the Justice Department “expect[s]” companies with access to sensitive consumer data “to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers” and that “[w]e will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation … than in protecting users.” Similarly, the special agent in charge of the FBI’s San Francisco Field Office declared that “[t]he message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur.” 

These somewhat hyperbolic statements, combined with the broad and novel legal theories that the Justice Department employed against Sullivan, has caused considerable consternation in the cybersecurity community and threatens to undermine the positive working relationship between the Justice Department and the private sector. To restore trust, the Justice Department should consider issuing formal guidance limiting the circumstances in which companies and/or corporate executives will be prosecuted for being insufficiently forthcoming about a cyber incident.

The Justice Department’s Battle With CISA for Cyber Supremacy 

Cyber incident reporting has been a sensitive subject at the Justice Department as of late. At the beginning of this year, the Justice Department essentially lost a turf war to the Department of Homeland Security in a disagreement over which department should receive the soon-to-be mandatory cyber incident reports under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The Justice Department was reportedly concerned that, because CIRCIA mandates reporting to the Cybersecurity and Infrastructure Security Agency (CISA), and makes such reports immune from civil discovery, the FBI will receive less cooperation from companies, which may prefer to report solely through the privileged mechanism created by CIRCIA. This interagency dispute spilled into the public when Deputy Attorney General Lisa Monaco and FBI Director Christopher Wray broke with the Biden administration to publicly oppose the law, both warning starkly that it “would make the public less safe from cyber threats.” CIRCIA passed nonetheless and was signed into law on March 15.

Since then, the Justice Department has redoubled its efforts to encourage the private sector to voluntarily report cyber incidents to the FBI. The overarching theme of the FBI’s messaging has been that companies that voluntarily report computer intrusions will be treated as victims, rather than as regulated entities or investigative targets. The Justice Department has made considerable progress in building trust with the private sector. Indeed, I frequently advise clients to voluntarily report to the FBI and am quick to point out the benefits of doing so. The Justice Department may be hoping that the Sullivan verdict will further encourage companies to report data security incidents to the FBI, lest they too be accused of engaging in a “cover-up.”

Yet there is a risk that the Justice Department’s efforts could have the opposite effect, thus undermining the trust that the FBI has built with hacking victims and chilling future cooperation. To be sure, the Justice Department would likely respond that the Sullivan case involved aggravating facts and that those who cooperate in good faith have nothing to worry about. The problem, however, is that the legal theories employed against Sullivan sweep far more broadly than the facts of the case and may cause corporate executives to think twice about calling in the FBI if there is even a small chance that the bureau could turn on them. 

The Justice Department’s use of broad charging theories to create uncertain cyber reporting obligations compares unfavorably with CISA’s careful administrative approach. Just last month, CISA issued a request for information seeking detailed feedback from industry in advance of the issuance of a notice of proposed rulemaking which will provide detailed regulations defining the nature, scope, and content of the duty to report cyber incidents under CIRCIA. CISA, with its ability to gather data from industry and engage in notice and comment rulemaking, is in a better position than the Justice Department to proscribe cyber reporting obligations. However, to the extent the Justice Department is going to create new reporting obligations, it should issue formal guidance on the matter rather than leaving industry to deduce the rules by studying a criminal trial or a press release. 

Questions That the Justice Department Should Address

Under what circumstances will the Justice Department charge obstruction of justice or false statements for providing incomplete cooperation concerning a data security incident? 

At the time of the 2016 incident, Uber was already in the midst of an FTC investigation into its data security practices that arose from a separate incident in 2014. Importantly, it was this preexisting investigation that Sullivan was convicted of obstructing in 2022. In 2015, the FTC served a detailed civil investigative demand (CID) on Uber, demanding extensive information about any other instances of unauthorized access to user personal information as well as information on Uber’s broader data security program and practices. Sullivan was heavily involved in preparing Uber’s response to the CID and, on Nov. 4, 2016, was deposed by the FTC concerning Uber’s data security practices. Ten days later, Sullivan received an email from a hacker informing him of a new incident involving a significant amount of sensitive customer data. Employees on the CSO’s team quickly verified the accuracy of these claims, which included records on approximately 57 million Uber users and 600,000 driver’s license numbers. 

The Justice Department’s obstruction theory appeared to be that, while the FTC’s investigation remained ongoing, the CSO had a continuing duty to update the CID and his deposition testimony to disclose any significant new incident. Indeed, according to the Justice Department press release, “despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them.” Rather than alerting Uber’s lawyers or the U.S. government, Sullivan “touted the work that he and his team had done on data security. Uber ultimately entered into a preliminary settlement with the FTC.”

Thus, the Justice Department’s obstruction theory was based, not so much on an explicit false statement the CSO made after learning of the 2016 incident, but rather on the fact that he continued to engage with the FTC without updating his and Uber’s prior statements regarding whether Uber had suffered other data security incidents. The key takeaway for companies observing this situation is that a preexisting and ongoing regulatory investigation into a previous incident or a company’s data security practices can trigger a duty to disclose any new incidents to that same regulator. This aspect of the case is fairly easy for companies to respond to. Indeed, most counsel would likely already advise clients to alert regulators of new, significant incidents, especially amid an ongoing investigation.

But companies might wonder whether the existence of an ongoing FBI investigation—including an investigation that the victim company itself triggered by voluntarily reporting an incident—could create a similar duty to update. That is, if a company cooperates with an FBI investigation and provides information about a data security incident, does it have a duty to update that disclosure if it later learns that the incident was worse than it initially thought, or if it learns of a new and potentially related intrusion? Would it be considered misleading for a company cooperating with an FBI investigation to omit sensitive information, such as the fact that it paid a ransom to hackers to keep them from posting stolen data on their “shaming site”? Under what circumstances would the Justice Department consider false statement charges against a CSO or chief information security officer who voluntarily speaks to the FBI but does not provide all material information about a data security incident, including information about the company’s defenses and why they failed? 

A written Justice Department policy could reassure industry that the department understands the extreme sensitivities surrounding a data security incident—including public relations risks, the potential for consumer class actions and regulatory investigations, and the need to avoid a waiver of attorney-client and attorney work product privilege, among other considerations—that often make it difficult for companies to share all relevant information with the government in the immediate aftermath of a computer intrusion. The Justice Department’s policy should make it crystal clear that the good deed of voluntarily reporting cyber incidents to the FBI will not be punished, that the mere act of voluntarily reporting some information about an incident will not trigger the duty to report even more information, and, most importantly, that criminal charges against victims will be reserved for truly egregious circumstances where there are intentionally false statements or similar bad-faith conduct. To be clear, as a former federal prosecutor myself, I do not believe that the Justice Department is acting in bad faith or looking to indict good-faith actors on technicalities. And I am grateful for the excellent service that the Justice Department and FBI routinely provide when my partners and I report data security incidents on behalf of our clients. But a written policy providing some clarity on what is expected of victims would go a long way to alleviate some of the concern created by the broad legal theories that were used against Uber’s former CSO.

Under what circumstances will the Justice Department charge misprision of a felony against a company or corporate employee that fails to disclose a computer intrusion? 

The second charge against Sullivan was an old and rarely used one: misprision of a felony. Misprision is an extraordinarily broad crime. It merely requires that a person is aware of a federal felony, fails to report it to federal authorities as soon as possible, and does an affirmative act to conceal the fact that a crime was committed. As the Justice Department itself stressed in its proposed jury instruction in the Sullivan trial, the “affirmative act of concealment” required for misprision “does not need to be made directly to an authority.” Thus, unlike obstruction of justice, misprision of a felony does not require that the defendant was aware of an existing or anticipated government investigation, that the defendant intended to corruptly influence or impede such an investigation, or even that the defendant made any statement to the government whatsoever. Rather, it is enough that the defendant knew of a crime and endeavored to keep it quiet.

In Sullivan’s case, the Justice Department based a misprision charge largely on his use of Uber’s bug bounty program to prevent public disclosure of the 2016 incident. In particular, Sullivan arranged a $100,000 payment to the hackers in exchange for an NDA promising not to disclose the incident and falsely stating that the incident did not involve the compromise of sensitive data. In addition, according to a former in-house Uber attorney who testified pursuant to an immunity agreement, Sullivan changed the NDA to make it falsely seem that the hack was “white hat” research, that is, committed by good-faith hackers who were merely attempting to discover flaws in Uber’s security, rather than looking to steal customer data.

The misprision theory is the most troubling aspect of this case. Any company that learns it was the victim of an actual or attempted computer intrusion is likely aware of a felony—and some large companies experience such events daily. If an intrusion does not meet the threshold for required disclosure under existing laws, a company might decide to keep it confidential, for a variety of valid reasons. But a company making that decision now has to worry that anything it says or does to keep an intrusion confidential could be construed by the Justice Department years after the fact as an “affirmative act of concealment” giving rise to a potential misprision charge. To resolve these fears, the department’s guidance should, at a minimum, address a few common fact patterns:

• Ransom Payments: Victims of computer intrusions often choose to pay a ransom to the hackers for a variety of valid reasons, including to protect their business and their customers. Often, a company pays ransom, in part, to prevent the hackers from publishing sensitive data online, including the personal information of its customers. Outside the context of sanctioned groups, the government has thus far never seriously considered making ransom payments illegal. Yet, post-Sullivan, it is not hard to imagine that a ransom payment in exchange for an explicit or implicit promise not to disclose the existence of the incident could be considered affirmative concealment of the incident. Indeed, the Justice Department’s press release cited as aggravating factors that “Sullivan orchestrated [the payment] despite knowing that the hackers were hacking and extorting other companies as well as Uber” and “despite the fact that the hackers had refused to provide their true names.” Of course, those same factors are present with nearly every ransom payment.
• Vulnerability Disclosure Programs: Many companies have vulnerability disclosure, or bug bounty, programs that offer monetary rewards to ethical, or “white hat,” hackers who discover and report vulnerabilities that could allow a company to be hacked. The Justice Department’s misprision charge against Sullivan was based largely on a $100,000 payment to the hackers that he orchestrated through Uber’s bug bounty program in exchange for the hackers signing an NDA promising not to reveal the incident. But companies frequently use NDAs as part of their bug bounty programs as they understandably do not want to publicize the fact that they were or even could be hacked or the vulnerabilities that allowed such hacking to occur. To be sure, the government also faulted Sullivan for having the hackers falsely state that they did not exfiltrate sensitive customer information. But it is not clear that a false statement was necessary for the misprision charge. After all, misprision only requires an “affirmative act of concealment,” not a false or misleading statement, and NDAs, by definition, conceal. 
• Restrictions on Disseminating Information About an Intrusion: At the Sullivan trial, prosecutors repeatedly read from internal company communications in which Sullivan stressed to others the need to keep the 2016 incident quiet. For instance, he told subordinates that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside the security group was to be that “this investigation does not exist.” While these statements are not flattering, it is not uncommon for companies to tightly control information about a cyber incident, especially while the investigation is ongoing. There may be very good reasons for doing so, including the need to preserve attorney-client and attorney work product privilege, and the need to avoid disseminating information piecemeal before all the facts are known. In its guidance, the Justice Department should address who within a company should be informed of a data security incident and whether, and in what circumstances, companies may appropriately limit the flow of information about a computer intrusion. 

Rethinking Misprision

More generally, it is worth asking whether the Justice Department ever needs to use a misprision charge in the context of a company’s failure to report a data security incident. There are a variety of state laws that require companies to report certain computer intrusions to victims and/or to state attorneys general. There are sector-specific laws and regulations requiring reporting of certain data security incidents to federal agencies and/or the public. And CISA is currently in the process of developing regulations that will require companies it deems “critical infrastructure” to report to CISA certain cyber incidents and ransom payments, and will be required to share such reports with the FBI within 24 hours of when they are received. If a company fails to fulfill these duties, each of these regulators has a variety of enforcement mechanisms. And if a company corruptly destroys evidence, or makes intentionally false or misleading statements, in a matter that is designed to influence a federal investigation, the Justice Department has the ability to bring obstruction of justice and/or false statements charges. 

But if a company does comply with its state and federal cyber incident and ransom payment disclosure obligations, and does not lie to the government or aim to obstruct its investigation, I am hard-pressed to think of circumstances in which a misprision charge would nonetheless be necessary or appropriate. I do not believe, for instance, that a company that pays a ransom, in part, to prevent public disclosure of a ransomware event, and decides not to disclose that payment to the federal government in circumstances where the forthcoming CISA regulations do not require disclosure, should have to be concerned that the Justice Department might nonetheless consider its actions misprision of a felony. A contrary view would circumvent the careful regulatory process created by CIRCIA for defining the precise circumstances in which ransom payments are required to be disclosed and would smack of regulation by enforcement. If my concerns that a misprision charge could be misused in this way are unjustified, the Justice Department should say so in writing. Doing so will help restore the trust that the Sullivan prosecution has shaken.