We first published this note on 8 December 2022. We updated the note on 10 May 2023 with details of Joe Sullivan’s sentence
There has been a lot in the press recently about the prosecution of Joe Sullivan, the former Chief Security Officer (CSO) at Uber. Sullivan was convicted in the US on 6 October 2022 in connection with an investigation into a ransomware attack on Uber in 2016. He was sentenced on 4 May 2023. But does the Sullivan case mean that there are likely to be more prosecutions against executives? And could we see similar prosecutions in Europe?
Joe Sullivan was a well-respected Chief Security Officer with a prior career both in the law and in security. He had worked at the US Department of Justice (DoJ) including for a spell, with Robert Mueller, who later led the FBI and later still, the investigation into the then President, Donald Trump.
From the DoJ, Sullivan moved to eBay and Facebook and he joined Uber as its first CSO in 2015. He’d also been associated with other well-known US corporations including Airbnb and PayPal.
In 2016, Uber experienced a major data breach. Sullivan’s team engaged with the hackers and paid them $100,000 out of a budget that the company had to pay bug-bounties. The hackers were also asked to sign an NDA.
In 2017, Uber’s new management sacked Sullivan and in 2018 he joined CloudFlare as their first CSO.
In 2020 the DoJ announced criminal charges against Sullivan and he was subsequently convicted by a jury on one count of obstruction of justice and one count of misprision of a felony. Sullivan then left CloudFlare.
What was Sullivan’s sentence?
Sullivan was sentenced in May 2023 to 3 years of probation and a $50,000 fine. The judge, US District Judge William Orrick, stressed that ordinarily an executive in Sullivan’s position should expect a prison term and that the case was highly unusual even with someone of Sullivan’s previous good character. He said:
“If I had a similar case tomorrow, even if the character is that of Pope Francis, they should expect custody.”
Before sentencing, Sullivan’s legal team submitted 186 letters supporting him with many urging the judge not to send him to prison. Uber’s former CEO, Travis Kalanick, was one of those who wrote a letter to the court which led the judge to question why Kalanick had not himself been facing similar charges. “I am left with the impression he was at least as culpable as Mr Sullivan, and no one brought him to court,” Orrick said. “That’s something that weighed on me.”
Could this lead to more cases?
Almost certainly yes. It is not just CSOs and CISOs who are at risk either as the judge’s comments about Uber’s CEO show. After Sullivan’s conviction, the DoJ said:
“We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employees than in protecting users. Where such conduct violates the Federal Law, it will be prosecuted.”
Other agencies may also take note. It is perhaps indicative that the US Federal Trade Commission (FTC) took action against Uber subsidiary Drizly and its CEO at the end of October 2022 after Drizly’s data breach. The terms of that settlement also apply to Drizly’s CEO – if the CEO moves to a company with data on over 25,000 people, the consent order effectively moves with him too.
Could this lead to liability under GDPR?
The simple answer is something similar could happen in Europe. There are various obligations in GDPR which might be relevant here in addition to other laws relating to fraud and false accounting.
In GDPR terms the first provision to look at might be the transparency obligations under GDPR Art. 5. This has led to high fines under GDPR including the largest GDPR fine to date, the £746m fine against Amazon (see https://bit.ly/amazonfine). In fact research by MLex suggests that 66% of GDPR fines for which there is data available deal with the GDPR Art. 5 principles with 18% of cases dealing with data security.
There are well known obligations in GDPR to tell data protection authorities (DPAs) usually within 72 hours of a data breach (under GDPR Art. 33) and in some cases to tell data subjects under GDPR Art. 34. Data controllers are also under an obligation under Art. 31 to co-operate with DPAs. Art. 34 also gives DPAs special powers including audits and the right to complain to a court.
It is important to remember that in addition to GDPR, local law in different countries also gives additional powers and responsibilities. For example in the UK under s.148 Data Protection Act 2018, an individual could commit a criminal offence if they destroy or falsify information or documents. Unlike in Joe Sullivan’s case however, a breach of s.148 would not lead to jail time – the maximum penalty is a fine.
Previous Uber Enforcement
DPAs in the EU have already looked at Uber breaches. Uber was fined £385,000 in 2018 by the UK and fined €600,000 by the AP in the Netherlands at the same time. Both of these cases related to the 2016 breach (and are pre-GDPR cases as a result). The UK case was essentially on Uber’s failure to put in place adequate technical and organisation measures (TOMs) and in the Netherlands the central theme of the case was Uber’s failure to report the breach within 72 hours.
Uber entities were also fined €4.2m by the Italian DPA, the Garante in 2022 again for the 2016 breach with the core theme of this case looking at TOMs and transparency.
What about Class Actions?
A number of class actions have been contemplated or floated in the UK and in the Netherlands relating to the breach.
One UK action says that it is claiming compensation from Uber that will start at around £1500 per person.
Again, a key theme for the claimant lawyers seems to be the lack of transparency.
Is Insurance the answer?
In most cases, insurance is not likely to be the answer. Insurers are always reluctant to pay out to cover a criminal act and in many countries this is prohibited. Insurers are much more likely to be focused on data breaches partly as claims increase and partly because of the Lloyd’s announcement excluding nation state attacks (https://www.corderycompliance.com/lloyds-cyber-insurance1/). Whilst this case did not involve a nation state actor insurers are likely to be looking more closely at attribution and payments as a result of these changes. There are some wider thoughts on ransomware payments here https://www.corderycompliance.com/ransomware-pay-or-not/. There are obviously consequences, including possible fraud convictions if an insured was not straight with its insurers.
So what can an individual do to guard against their own liability? Again the key theme will be transparency. There has been much debate in compliance circles about the imposition of “noisy withdrawal” laws but effectively, any corporate executive (including CSOs, CISOs and Heads of Compliance) will need to think very carefully if they are party to any conversation where the company decides to cover something up.
For individuals changing roles they might also want to look harder with their potential new employer at whether there are already skeletons in the closet. If you are approached for a new role as a compliance officer, CSO or CISO you might want to put in place measures to try and protect yourself. Each case will be different. Practical steps might include:
- Do your due diligence. Has the business had issues previously? What can you find out about their attitude to compliance and their management team?
- Negotiate hard on your contract with proper protections – this might include the right to independent legal counsel (although this could be challenging given privilege concerns).
- Make sure you have the benefit of D&O policies.
- Look at your remuneration – a package heavily tied to share price may make you more vulnerable to prosecution.
- Making sure your organisation regularly tests its response to events – training sessions like the Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2-2/) will help.
You can listen to a podcast discussion about the Sullivan case on the Everything Compliance podcast here https://bit.ly/3FD3EuW.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
You can read s.148 DPA 2018 here https://www.legislation.gov.uk/ukpga/2018/12/section/148/enacted.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785