“This is a unique case because there was that ongoing FTC investigation,” says Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues. “He had just given sworn testimony and was most certainly under a duty to further supplement and provide relevant information to the FTC. That’s how it works.”
Tuma, who frequently works with companies responding to data breaches, says that the more concerning conviction in terms of future precedent is the misprision of felony charge. While the prosecution was seemingly motivated primarily by Sullivan’s failure to notify the FTC of the 2016 breach during the agency’s investigation, the misprision charge could create a public perception that it is never legal or acceptable to pay ransomware actors or hackers attempting to extort payment to keep stolen data private.
“These situations are highly charged and CSOs are under immense pressure,” Vance says. “What Sullivan did seems to have succeeded at keeping the data from coming out, so in their minds, they succeeded at protecting user data. But would I personally have done that? I hope not.”
Sullivan told The New York Times in a 2018 statement, “I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up.”
The facts of the case are somewhat specific in the sense that Sullivan didn’t simply lead Uber to pay the criminals. His plan also involved presenting the transaction as a bug bounty payout and getting the hackers—who pleaded guilty to perpetrating the breach in October 2019—to sign an NDA. While the FBI has been clear that it doesn’t condone paying hackers off, US law enforcement has generally sent a message that what it values most is being notified and brought into the process of breach response. Even the Treasury Department has said that it can be more flexible and lenient about payments to sanctioned entities if victims notify the government and cooperate with law enforcement. In some cases, as with the 2021 Colonial Pipeline ransomware attack, officials working with victims have been able to trace payments and attempt to recoup the money.
“This is the one that gives me the most concern, because paying a ransomware attacker could be viewed out in the public as criminal wrongdoing, and then over time that could become a sort of default standard,” Tuma says. “On the other hand, the FBI highly encourages people to report these incidents, and I’ve never had an adverse experience with working with them personally. There’s a difference between making that payment to the bad guys to buy their cooperation and saying, ‘We’re going to try to make it look like a bug bounty and have you sign an NDA that’s false.’ If you have a duty to supplement to the FTC, you could give them relevant information, comply with breach notification laws, and take your licks.”
Tuma and Vance both note, though, that the climate in the US for handling data extortion situations and working with law enforcement on ransomware investigations has evolved significantly since 2016. For executives tasked with protecting the reputation and viability of their company—in addition to defending users—the options for how to respond a few years ago were much murkier than they are now. And this may be exactly the point of the Justice Department’s effort to prosecute Sullivan.
“Technology companies in the Northern District of California collect and store vast amounts of data from users. We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” US attorney Stephanie Hinds said in a statement about the conviction on Wednesday. “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. Where such conduct violates the federal law, it will be prosecuted.”
Sullivan has yet to be sentenced—another chapter in the saga that security executives will no doubt be watching extremely closely.