Joe Sullivan was drawn to the role to help prevent cybercrimes. His role as Chief Security Officer CSO of Uber was a change from his previous job prosecuting cybercriminals as an assistant US attorney. but the former lawyer soon found himself on the other side of the wrong side of the law. On May 4, 2023, Sullivan was sentenced to three years of probation in the USA for failing to report a 2016 breach at taxi company Uber that threatened to expose the data of 600,000 drivers and the personal information of 57 million customers.
Sullivan’s case has caused much anxiety among cybersecurity professionals, due to fears that they themselves could face legal penalties for simply doing their jobs and protecting firms against crime. But it has also galvanized the community and some 186 letters of support for him were sent to sentencing judge William Orrick, and he maintains that this is the key reason he didn’t go to prison.
The letters said that Sullivan had a good record and a reputation for stepping into growing e-commerce companies, including eBay and Facebook, and building their security and privacy programs.
So, who should be liable for the handling of breaches, if not the security officer?
Well it is probably true, he was responsible as head of security and should have done something about warning the firm’s clients. The judge summed up the case: “This is a tough industry, tough decisions are made, maybe this was a good-faith mistake but that’s all it was… the lessons of this case are … follow the law, follow the rules, don’t withhold information from an active, ongoing investigation.”
A key point of confusion has arisen over when exactly to report. No doubt Capita executives will be nervous, and following the case, because there are allegations against them for downplaying the breach of security at their own firm. Sullivan has been accused of a coverup when paper trails show that Sullivan had set up an incident tracker for the response team and had informed and deferred to Uber’s CEO at the time, Travis Kalanick, and to Uber’s own lawyer, Craig Clark. The judge said “… I am left with the impression that he (Kalanick) was at least as culpable as Mr. Sullivan, and nobody brought him to court.”
Even more bizzare, at least to British readers, is that the lawyer, Craig Clark, had received government immunity in exchange for testifying. It was Clark who had recommended not reporting the breach because Sullivan’s team was able to retrieve the data before it leaked on the dark web. And that begs another question: is reporting required if the hackers were caught and their systems expunged of the sensitive data before it leaked to the dark web?
Wierdly the way that Sullivan had traced the stolen records was by tricking the two hackers to sign an NDA and using that signature to track their IP addresses.
The same hackers are being prosecuted for conspiracy to commit extortion at the same district court in Northern California in which Sullivan was tried.
But the key is that because Sullivan failed to report the crime in 2016, their arrests were delayed.
Uber is based in San Francisco, California, home to the consumer privacy act. California law requires a business or state agency “to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.” The UK has a more principled approach, to take reasonable actions, and it is unlikely that an individual will be prosecuted, unless it was shown that they took unreasonable actions. Judge Orrick noted in the sentencing hearing: “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison.”
BATSOFT don’t have all the answers, and we can only guide you, and of course take the best care we can of the data we hold on your behalf. But if the breach is yours, then you may be held accountable, and like the former prosecutor turned defendant Sullivan, you may have to face the music in court.