In 2016, Joseph Sullivan was chief security officer (CSO) at Uber when a data breach exposed the personal information of 57 million users. Earlier this month, after three weeks of trial, Sullivan was found guilty of concealing the data breach and obstructing the Federal Trade Commission’s (FTC) investigation. He now awaits sentencing, where he faces a maximum statutory penalty of five years in prison for the obstruction charge and a maximum of three years in prison for the misprision charge (failing to report a felony), along with a $250,000 fine for each charge.
This verdict serves as a cautionary tale of the personal, criminal liability cybersecurity professionals, in-house counsel and other company executives could face if their actions are deemed to “cover up” a data breach.
The main issue at trial was whether Sullivan paid a bug bounty or a ransom. Companies often turn to crowdsourcing vulnerabilities of their systems through bug bounty programs that incentivize security researchers to find vulnerabilities in exchange for a monetary reward. In fact, the FTC alleged in a 2022 enforcement action against CafePress that the company failed to provide reasonable security because it “failed to implement a process for receiving and addressing security vulnerability reports from third-party researchers.”
Bug bounty programs can go awry if there is disagreement between the researcher and company concerning the validity of the bug. To prove the vulnerability exists, security researchers may exploit the vulnerability, hold the personal data hostage, and demand the payment they feel entitled to — which kind of feels like a ransom. The Department of Justice (DOJ) raised similar points around when good-faith research turns into malicious acts in its new policy on Computer Fraud and Abuse Act prosecutions. The distinction is critical because a malicious actor exfiltrating data is actually a data breach, which is required to be reported to the FTC.
In Sullivan, the DOJ argued that the CSO paid malicious hackers a large sum of money with the intention of disguising the data breach as a bug bounty to avoid FTC reporting obligations. The DOJ said that Sullivan executed a nondisclosure agreement (NDA) with the hackers to cover up the incident, rather than in the normal course of the bug bounty program, in which NDAs are common to prevent the researcher from publicizing the vulnerability before it’s patched.
In closing arguments, Sullivan’s lawyer challenged the notion of it being a cover-up by arguing that the blame lay with the numerous executives who allegedly knew about the breach, as well as Uber’s legal team, which allegedly failed to inform the FTC.
Cybersecurity professionals watched this trial closely given that CSOs often do not make the decision of whether to report an incident to the FTC, and it seems unlikely that a CSO would have made the unilateral decision to execute an NDA without consulting the legal department. Ultimately, however, evidence of how the security team responded to the breach, including internal documents and several NDAs, sealed the guilty verdict.
This verdict sets precedent for how the DOJ plans to respond to similar incidents going forward. After the verdict, the federal prosecutor stated, “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and their employers than protecting users.”
Cybersecurity professionals should pay close attention as creative solutions to avoid breach reporting could spell personal liability. As such, here are practical tips for ensuring that teams are protecting the company without exposing themselves to personal liability:
- Effectively and accurately document the briefing of the C-suite, board members and legal team on any cybersecurity issues. Keeping stakeholders informed of actual and suspected incidents ensures that decisions are made collectively and in the best interest of the company. By documenting these briefings, discussions and decisions, individuals can protect themselves and aid in the documentation efforts required by a coherent incident response plan.
- Maintain a detailed, accurate and transparent incident response plan. If you have read any other insights we have published, you will see a consistent theme around documentation. Documentation is the linchpin of incident response. The ability to pull up notes from the meeting where the board was informed of an incident can help absolve individuals of criminal liability. Consequently, this information may become discoverable during any litigation.
- Remember that communication about any cybersecurity incidents could expose an individual to criminal liability.
Write emails and communications as though a regulator will read them – because they will. An email saying “why don’t we just say this was part of the bug bounty program” is the smoking gun regulators are looking for.
- Remain cautious about facilitating a payment of a bug bounty or ransom. The crux of this case is the payment to hackers and the nondisclosure agreement. Companies should maintain clear, detailed guidelines and procedures for operating any vulnerability disclosure programs like a bug bounty program. Additionally, the legal team must be aware of the nuances of bug bounty programs and understand when overreporting may be in the company’s best interest.
Parker Poe law clerk Alexandria Hill also contributed to this article.
If you’d like to read the original source of this article please click here Visit Source