Lessons From the Complaint Against Uber’s Former Chief Security Officer
On August 20, 2020, former Uber Chief Security Officer Joe Sullivan was charged with obstruction of justice and misprision of a felony for knowingly concealing a hack of Uber in 2016. Based on Sullivan’s complaint, individuals and corporations can learn valuable lessons in responding to cyber intrusions by considering: (1) what Sullivan allegedly did wrong; (2) what corporate officers are required to do after a cyber intrusion; and (3) how a company should prepare in anticipation of a possible intrusion.
1. Sullivan’s Alleged Obstruction of Justice
According to the criminal complaint, two hackers contacted Sullivan by email in 2016 and demanded a six-figure payment in exchange for silence regarding their computer intrusion into Uber. The criminal complaint alleges that Sullivan took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission (“FTC”) about the breach. The FTC had previously been investigating a 2014 intrusion into Uber when Sullivan received the email in 2016 regarding the new intrusion and the demanded payment.
Sullivan’s team confirmed the new hack within 24 hours of the hackers’ email demand, but did not disclose it to the FTC. Sullivan sought to pay the hackers in BitCoin and negotiated non-disclosure agreements with the hackers, which falsely represented that the hackers did not take or store any data. In the midst of Sullivan’s efforts, Uber named a new Chief Executive Officer in August 2017 who Sullivan allegedly deceived in reports about the 2016 breach. The new management at Uber eventually discovered the data theft and disclosed the breach both publicly and to the FTC in November 2017.
The two hackers identified by Uber pled guilty in October 2019. However, the criminal complaint against Sullivan emphasizes that the hackers targeted and successfully hacked other technology companies after Sullivan negotiated with the hackers, but before the hackers came to the attention of law enforcement.
Sullivan responded that the complaint was “without merit.” Sullivan’s spokesperson further commented that “Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department—and not Mr. Sullivan or his group—was responsible for deciding whether, and to whom, the matter should be disclosed.” https://edition.cnn.com/2020/08/20/tech/uber-security-chief-charged/.
2. Corporate Requirements to Cooperate in a Cyber Investigation
Companies must weigh numerous legal, economic, and social considerations when choosing when and what to share regarding cyber intrusions. The two main categories of disclosure are often confused by businesses: (A) breach disclosure, when the company tells individuals that hackers may have accessed personally identifying information in the company’s possession; and (B) crime reporting, where the victim company notifies law enforcement of the unauthorized intrusion into its computer systems.
A. Breach Disclosure
Breach disclosure is mandatory for companies holding personal data. Different states have different laws regarding the thresholds, timelines, and content of reporting. It is a mistake to consider such reporting optional. Many states have significant civil penalties for non-compliance.
In addition to privacy related breach notification, public companies must consider disclosure requirements to apprise investors of corporate risk. The Securities and Exchange Commission (“SEC”) issued guidance in 2011 that although there was no explicit disclosure requirement, companies may be obligated to disclose risks and intrusion incidents. After that guidance in 2011, many companies included additional cybersecurity disclosure, typically in the form of risk factors, in their annual or other reports. Follow up guidance in 2018 reiterated the need for disclosures in company reports as a benefit to investors. The SEC advised companies to reconsider the adequacy of their disclosures and also noted that prompt disclosure of cyber security incidents could reduce the risk of insider trading based on material non-public information.
Companies may have additional disclosure requirements based on industry, data type, or specific laws. Laws such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) include breach reporting obligations.
B. Crime Reporting
Companies must separately consider when to report criminal intrusions to law enforcement authorities. Some states allow delay of breach disclosure if criminal investigations are underway.
Despite the federal “misprision of a felony” law and assorted similar state laws, private companies and private citizens have traditionally not been obliged to report crimes to law enforcement. “[A] person who witnesses a crime does not violate 18 U.S.C. § 4 if he simply remains silent.” United States v. Ciambrone, 750 F. 2d 1416, 1418 (9th Cir. 1984). In Ciambrone, the defendant was innocent of misprision of a felony even though he made partial disclosure of true information. The court held that selective silence was not a crime.
Active steps to conceal a felony, however, are not the same as silence. For example, a government official who fraudulently arranged for life insurance proceeds to pay off loans not owned by the deceased was guilty of misprision of a felony. United States v. White Eagle, 721 F. 3d 1108, 1119–20 (9th Cir. 2013). The government official’s factual reports were insufficient because they were tailored to obscure the fraudulent nature of the transactions. The government official also received personal benefit for his concealment of the fraud.
It is unclear if misprision of a felony applies absent cyber incident reporting. The Ninth Circuit affirmed that “[t]o establish misprision of a felony,” under 18 U.S.C. § 4, “the government must prove beyond a reasonable doubt: ‘(1) that the principal . . . committed and completed the felony alleged; (2) that the defendant had full knowledge of that fact; (3) that he failed to notify the authorities; and (4) that he took affirmative steps to conceal the crime of the principal.” United States v. Olson, 856 F .3d 1216, 1220 (9th Cir. 2017). Additionally, the Ninth Circuit added the requirement that the defendant knew that the conduct was a felony. Cyber intrusion investigation personnel often know the criminal nature of cyber intrusion and could arguably be subject to misprision of a felony if they actively seek to hide the intrusion from law enforcement.
There is scant case law on what “affirmative steps to conceal” would look like if a hacking victim failed to report it. Misprision of a felony indictments often occur where the defendant is also accused of other crimes. Incidentally, similar concerns regarding misprision of a felony arose in the late 1970s after the Sherman Act made felonies of some antitrust actions of corporate executives. Despite such concerns, little case law developed on the subject.
For cyber intrusion cases already being investigated by law enforcement, there are stronger disclosure expectations and any company personnel that hide facts or perpetrators may be treated as accomplices of the hackers. This is especially true if company officials benefit personally from keeping the attack a secret.
Even without an ongoing law enforcement investigation, however, if any company fails to comply with breach disclosure laws, or if public company officials fail to report cyber-attacks to investors, this might be considered active concealment. The SEC has repeatedly advised companies to consider the adequacy of their disclosure of cyber incidents. If a company is hacked, does not report it to law enforcement, fails to disclose the attack in company reports, fails to comply with breach notification disclosures, and/or executives obtain personal benefit from maintaining intrusion secrecy, executives may be charged for misprision of a felony. Guilt may depend on the company officials’ efforts to prevent disclosure of the hack by either employees or the hackers. Further, any insider-facilitated hacks could line up more closely with the facts in Olson and make knowledgeable executives hiding insider involvement subject to prosecution.
3. Corporate Preparation for a Cyber Attack
In today’s world, firms should plan for what to do when, not if, they are the victims of a cyber intrusion. A corporate cyber intrusion involves overlapping phases of investigation, documentation, and reporting. These phases likely involve combinations of internal information technology personnel, legal personnel, management, and marketing or public relations personnel. Companies should plan who takes the lead, what combinations of personnel should be involved, and who should make various decisions. In addition to dealing with the intrusion itself, companies might need to activate continuity of operations plans to run their business after loss of data, hardware, or other computer functionality.
Victims may also have civil recourse for damages or costs associated with the intrusion or response to the intrusion. However, unless the perpetrators are corporate competitors committing commercial espionage, the hackers are likely judgement proof and companies should not expect significant economic recovery. Direct financial theft may be recoverable by working with a victim company’s financial institutions, so they should learn their financial institutions’ reporting channels.
Cyber security insurance may be a viable option for companies to alleviate the costs of responding to an intrusion and returning to business as usual. Legal counsel should carefully review the terms of any insurance policy. There are no standard coverage terms and subtle differences in contractual language could have a significant impact on what circumstances justify insurance payouts.
Companies and their executives may be judged more by how they respond to an intrusion than the details of the intrusion itself. All of these issues require careful thought and discussion among executives and legal counsel, preferably before an intrusion.
An ounce of prevention is worth a pound of cure. While this saying has obvious significance for designing IT systems to prevent an intrusion, it also applies to advance planning for an intrusion incident. The time spent planning and preparing for an intrusion is much less costly than the confusion, delay, and potential errors that may occur in the aftermath of an intrusion.
As far as Sullivan, our criminal justice system presumes that he is innocent of the charges against him. However, regardless of the outcome of this particular trial, his charging is a wakeup call that covering up and/or failing to report an intrusion to law enforcement may itself be a crime. And one that some federal prosecutors may be willing to pursue.