In 2016, Uber was the subject of a sophisticated cyber-attack which resulted in the loss of the personal information of hundreds of thousands of drivers and tens of millions of Uber customers. Uber’s Chief Security Officer’s immediate response to this unprecedented breach was to conceal the event for as long as possible, while trying to bribe the responsible parties into silence, so that news of the breach never went public. Unfortunately, this strategy quickly back-fired and Uber became embroiled in a storm of criticism. More significantly, Uber’s failure to inform the Federal Trade Commission of the breach brought unwanted attention from federal authorities.
Fast forward to August 2020, and a former Uber employee has been charged with federal crimes for alleged acts and omissions in trying to conceal the breach. Joe Sullivan, Uber’s Chief Security Officer and Deputy General Counsel at the time of the breach, is now facing up to five years imprisonment, and over $250,000 in fines, for Obstruction of Justice and Misprision of a Felony (for those not up-to-date with federal crimes, Misprision of a Felony is the failure to report a known felony to the authorities).
Response to data breach is the basis for criminal charges
The case against Mr. Sullivan is particularly noteworthy since there isn’t actually any express obligation under federal law to report such breaches to the FTC. In addition, there isn’t any prohibition on paying ransom to hackers. Nonetheless, the government has alleged that Mr. Sullivan’s failure to adequately and timely disclose the breach to the FTC was an obstruction of justice. The government has also taken issue with the manner in which Mr. Sullivan tried to conceal the ransom payment by passing it off as a payment under the Uber’s “Bug-Bounty” program, and further, sought to have the hackers sign non-disclosure agreements preventing them from revealing the breach and pay-off. Mr. Sullivan also allegedly concealed the breach from Uber’s senior leadership.
The takeaway for businesses?: Know your data breach reporting requirements!
It is important to note that the circumstances surrounding this data breach were quite complex and included the fact that an FTC investigation of Uber, arising from a prior data breach that occurred in 2014, was ongoing at the time of the 2016 breach. Therefore, it is difficult to ascertain what the long term consequences of these criminal proceedings may be. One thing that is clear, however, is that businesses which find themselves the victims of hackers should thoroughly evaluate all federal and state reporting requirements. In some cases, there are indeed express federal reporting requirements that include significant civil penalties for failing to comply, for instance, healthcare providers have various affirmative duties under HIPPA to report breaches to the Secretary of HHS. Finally, it appears advisable to always err on the side of reporting and avoid even the appearance of concealment, whether that be affirmative concealment or the mere failure to adequately or fully disclose the adverse event.
This blog is made available by Goodman Allen Donnelly for general information, and does not constitute legal advice. By reading this blog, you understand that there is no attorney-client relationship between you and the firm. This blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.