The United States Court of Appeals for the Ninth Circuit recently affirmed the criminal conviction of Joseph Sullivan, Uber's former Chief Security Officer (CSO), for his involvement in covering up a significant data breach at Uber.

This breach occurred while Uber was already under investigation by the Federal Trade Commission (FTC) for its data security practices.

Sullivan, a well-known cybersecurity expert and former Assistant U.S. Attorney, had joined Uber after the company experienced a data breach in 2014. In 2016, another major breach took place under his watch, exposing sensitive user data. At this time, Uber was still subject to FTC scrutiny regarding its previous security failures.

Instead of reporting the 2016 breach to the FTC as required, Sullivan and a small group within Uber took deliberate steps to conceal the incident. They tracked down the hackers responsible and pressured them to sign a non-disclosure agreement (NDA) that falsely described the breach as a form of "research" under Uber's Bug Bounty Program.

Uber then paid the hackers $100,000 and secured their agreement to delete the stolen data. Sullivan was directly involved in drafting the NDA and kept then-CEO Travis Kalanick informed about the hackers' compliance. However, he failed to notify Uber's general counsel, despite suggesting otherwise to colleagues. Additionally, Sullivan did not correct earlier statements made to the FTC about Uber's data encryption practices, even though the 2016 breach revealed that some of the compromised data was not encrypted.

The concealment unraveled in 2017 when Uber's new CEO, Dara Khosrowshahi, learned about the breach from Sullivan. However, Sullivan misrepresented the scope of the breach and the nature of the payment to the hackers. When the full details eventually emerged, Khosrowshahi fired Sullivan and publicly disclosed the breach. The FTC responded by revising its complaint against Uber, withdrawing its original consent agreement, and imposing stricter reporting requirements on the company.

Federal prosecutors charged Sullivan with obstruction of justice and misprision of a felony, which means concealing a felony. Sullivan challenged his conviction on several grounds, including the adequacy of jury instructions, the sufficiency of the evidence, and the admissibility of certain evidence. The Ninth Circuit, however, rejected all of Sullivan's arguments and upheld the district court's rulings, affirming his conviction.

Source: https://lawprofessors.typepad.com/legal_profession/2025/03/uber-security-chief-conviction-affirmed.html
 

Commentary

The above matter is significant because it marks the first time a company executive in the United States has been held criminally liable for mishandling a data breach.

When organizations do not promptly inform affected individuals of a data breach, those individuals may remain unaware that their sensitive information - such as financial records, Social Security numbers, or health data - has been compromised.

This delay can increase the risk of identity theft, financial fraud, and privacy violations, as victims are unable to take timely protective measures like monitoring their accounts or changing passwords. The lack of transparency also erodes consumer trust and confidence in the organization, leading to reputational damage and loss of business. Furthermore, undisclosed breaches can disrupt business operations, lower staff morale, and expose the organization to legal claims and regulatory fines.

Most states have their own data breach notification statutes, which generally require organizations to notify affected individuals and sometimes state authorities within a specified time frame.  At the federal level, certain laws impose breach reporting requirements in specific sectors:

• The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media in the event of a breach involving protected health information.
• The Gramm-Leach-Bliley Act (GLBA) imposes breach notification obligations on financial institutions.
• The Federal Information Security Modernization Act (FISMA) requires federal agencies to report breaches of federal information systems.

Although these statutes are regulatory in nature, failure to comply can result in civil penalties and, in some cases, criminal charges if there is evidence of intentional concealment or obstruction of justice, as seen in the criminal prosecution of Uber's former Chief Security Officer.

Additionally, making false statements or withholding material information from federal investigators can lead to federal criminal liability under statutes such as obstruction of justice or misprision of a felony.

The final takeaway is that the court's decision underscores the legal and ethical duty of corporate executives to be transparent and forthcoming, especially when their organization is under federal investigation.