Federal prosecutors won a conviction against Joe Sullivan this week for his actions in handling a 2016 data breach while he was Chief Security Officer (CSO) at Uber. Specifically, he was convicted of obstruction of proceedings of the Federal Trade Commission (FTC) and misprison of a felony due to his attempted concealment of the breach. This was the wrong result and a lost opportunity for the federal Government to send a real message and set an example on cyber governance.
It was the wrong result because it was the wrong case: it laid blame on the CSO instead of the company’s directors and officers (D&Os). Sullivan was convicted for failing to report a data breach, which is not a crime, but the government made it into a crime by asserting that his payments to the hackers “concealed” the attack to Uber, and that his failure to report the data theft “obstructed” an already existing FTC investigation.
But both of these theories depend on the notion that it is the obligation of the CISO/CSO – and not the General Counsel or CEO – to report data breaches. Instead, prosecutors should have targeted Uber’s board and C-suite – at least Travis Kalanick, Uber’s founder and then-CEO, and Joe Sullivan – with the concealment charge and laid bare the lack of management and board oversight of the company’s cybersecurity program and associated risks. Instead, the Government focused on the actions of Sullivan and amplified the prevailing notion that the CISO/CSO should be blamed for any major cyber event.
The case caught the headlines. The conviction did not send tremors through board rooms across America, but it did send chills up the spines of CISO/CSOs. It was the first time a CISO/CSO has been held criminally liable for their actions in managing a cyber attack. Until companies treat cyber as an enterprise risk and make business units responsible for the systems and data they use, cybersecurity programs will continue to lag and CISO/CSOs will be incentivized to minimize – or lie about – cyber attacks. That should scare America because our current state of cybersecurity plays a key role in national and economic security. Spreading responsibility for cyber risks across an organization is not just a best practice; it is the only way cybersecurity programs get implemented in operations and mature.
By way of background, Sullivan was CSO of Uber for approximately 18 months when the 2016 breach occurred. He was contacted by the criminals who indicated they had stolen credentials and accessed data on 57 million Uber users and 600,000 driver license numbers. Sullivan, who is an attorney and was previously a cybercrime prosecutor in the Department of Justice (DoJ), confirmed the hackers’ claims and handled the communications with them.
Sullivan told Kalanick about the breach the next day. Texts between them indicate that Sullivan suggested the company pay the criminals their requested payment through Hacker One’s bug-bounty program, and Kalanick approved the $100,000 payment. Sullivan also consulted with Uber’s in-house attorney Craig Clark. Both the CEO and Clark knew there had been a data breach; the responsibility to report the incident was more in the CEO and legal department’s lap than Sullivan’s.
Sullivan struck a deal with the criminals that they would be paid the requested $100,000 if they signed a non-disclosure agreement stating (1) they would not disclose the breach, and (2) they had not taken or stored or used/disclosed any Uber data. DoJ claimed this last provision was a false statement since the hackers had, in fact, obtained Uber data. According to testimony in the trial, Sullivan did actively work to keep the hack under wraps and away from regulators, the public, and the press.
The Company Had The Responsibility; Not a Single CSO
Let’s unpack this. When Sullivan joined Uber, the company was under investigation by the FTC regarding a much smaller 2014 breach and had received a Civil Investigative Demand (CID) from the agency that required the company to provide information about other instances of unauthorized access. That CID was a responsibility of the company, not Joe Sullivan. Uber’s General Counsel was involved in managing the FTC’s inquiry. Irrespective of any role Sullivan had in negotiating with the hackers, it was not his sole responsibility to provide information to the FTC or any other agency.
Other than the CID, there was no obligation on the company to notify the FTC at the time of the breach. Although much has been made about the proposed settlement between Uber and FTC, which obligated Uber to implement a strong cybersecurity program and prohibited it from misrepresenting its security practices, that proposed settlement was not entered into until August 15, 2017 – nine months after the 2016 breach. At the time that Joe Sullivan was communicating with the hackers and getting them to sign a non-disclosure agreement, the company was only under the obligation of the CID.
So…why hang the CSO for the concealment of the breach and ignore Kalanick and the company’s other D&Os? Remember, there were two separate acts here — Sullivan’s “concealment” of the breach (paying the hackers to not disclose the breach) and Uber’s non-disclosure of the breach. While Sullivan may be responsible for the “concealment,” it was the decision of Kalanick and possibly other senior management not to make a formal breach disclosure.
Kalanick was CEO of the organization and knew of the breach the day after it occurred. Why didn’t he escalate this to his senior management team and Board of Directors? Why didn’t the company have a governance process in place that would have required such escalation? Why wasn’t the General Counsel informed of the incident? Why wasn’t the General Counsel involved in reviewing the non-disclosure agreement that Joe Sullivan was presenting to the hackers on behalf of Uber? Why didn’t the legal department have procedures in place that would have required in-house attorney Craig Clark to notify the General Counsel of this legal issue? Why didn’t the company ensure security and legal duties were segregated so one person could not act as both CSO and legal counsel? (At trial, the General Counsel noted that, while Sullivan was an attorney, he was not part of the General Counsel’s office.)
These questions are important because they go to the heart of what cyber governance is all about. They are also important because they are central to why this case was the wrong one to take to court. The U.S. Government has been pounding on the business community for two decades to improve their cybersecurity programs, and it had the ammunition it needed to go after the directors and officers of Uber for concealing the breach and not reporting it. The Government had the opportunity to send a shot across board tables and hold them accountable; Uber’s C-suite should have been managing cyber risks and its board should have been exercising oversight. Uber should have had a cyber governance framework in place that would have informed them about the hack so it could be appropriately handled and reported.
The Ostrich Defense is Gone
The ostrich defense is gone. D&Os have a fiduciary duty to protect the assets of a corporation. Recent holdings in Delaware case law work to collectively narrow, under certain circumstances, the deference given to boards, particularly with respect to meeting their duty of loyalty and good faith oversight. The cases made clear that boards must make a good faith effort to establish a board-level system of monitoring and reporting and regular review of key risks. In a cyber context, meeting the duty of loyalty and exercising good faith oversight could be interpreted to mean that boards have identified key cyber risks and established an information and reporting system with critical information flows about these risks and a process to monitor them.
The Delaware Supreme Court in Stone v. Ritter noted that the “necessary conditions” for assessing director liability are (1) failure to implement reporting or information systems, or (2) after implementing such a system, the directors failed to monitor it and oversee operations. Former Chief Justice of the Supreme Court of Delaware, E. Norman Veasey, and Randy J. Holland, former Justice of the Supreme Court of Delaware, noted in an article in The Business Lawyer, that, “directors not only must adhere to the fiduciary duties of care and loyalty in decision making but also that they must exercise in good faith the responsibility of overseeing the behavior of management.”
Uber’s board was not supervising management, it did not have a reporting system in place for informing the board, and it was not monitoring cyber risks. Kalanick was running his show, and the board was in the dark about critical events within the company. Even in the midst of a FTC investigation, the board was uninformed on cyber risks and had not put policies and procedures in place that ensured D&Os received information about cyber incidents. Thus, it is fair to conclude that the entire board concealed the 2016 breach through their ignorance about the cyber operations of the publicly traded company they had the responsibility to govern.
There is plenty of guidance and resources that companies can leverage to establish a cyber governance framework:
- There are two ISO standards on the governance of information security, ISO 27014 and ISO 24143.
- The Federal Financial Institution Examination Council (FFIEC) has set forth clear best practices for financial institutions’ governance of cyber risks.
- The NIST Cybersecurity Framework includes a section on best practices for cyber governance.
- Federal and state regulators have issued guidance and requirements for IT and cybersecurity governance, including a proposed rule from the SEC on cybersecurity governance.
In 2018, following the Equifax breach, the SEC issued additional guidance to publicly traded companies that stressed the importance of informing the C-suite and board about incidents:
“Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents. In addition, the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”
What Uber And The Government Can Do Going Forward
More than other innovation hubs, Silicon Valley has disturbingly developed a Wild West culture and startups are notorious for lax governance. Uber has been a text book example on several fronts. Uber is a global company with a market cap of $55 billion. That is big enough to act like a grown-up. Granted, Kalanick is no longer with Uber, and the company has taken steps under new CEO Dara Khosrowshahi to get its act together, but it – and VCs and investors – could do more to provide leadership to prevent these mistakes from occurring in other companies.
While Kalanick may argue that he didn’t have all of the information necessary to decide whether a breach disclosure was required or not, he knew that there had been a hack that exposed the personal information of the company’s customers and drivers. It seems clear that the only reason the Uber board did not know about the hack is because they did not want to know, and Kalanick and Sullivan wanted to keep it under wraps. When Khosrowshahi became CEO and learned of the hack, he immediately disclosed the previous data breach. What happened under Kalanick was not lack of knowledge, but a lack of a governance process. Uber could save itself from becoming a cybersecurity “poster company” by assuming a leadership role in teaching startups about cyber good governance.
The Government also has a role to play, and coordinating among agencies and departments on regulatory action, guidance, and expected best practices is the best starting point. In March 2022, the SEC issued proposed cybersecurity rules and reporting requirements, and a key thrust is governance, including disclosures about assessing cyber risks, roles for D&Os on cyber oversight, information flows for reporting, and monitoring. This is an important step. Prosecutors and enforcement agencies can contribute by bringing actions that target companies with poor governance practices and impose requirements for cyber governance instead of targeting CISO/CSOs. The SEC can advance this for public companies, and the FTC can take a similar position with all companies because the lack of cyber oversight and executive management of cyber risks hurts investors, consumers, and America.