Skip to content
LPBN-Icon-v1 (1)
Legal Profession Blog
A Member of the Law Professor Blogs Network

Uber Security Chief Conviction Affirmed

By Michael Frisch

The United States Court of Appeals for the Ninth Circuit has affirmed a criminal conviction of the former security chief for Uber

Cybersecurity has become a major preoccupation of businesses as network hacks and data breaches multiply. Companies now turn to seasoned experts to address these challenges. Among the ranks of these experts is Joseph Sullivan, who served as the Chief Security Officer (“CSO”) for Uber Technologies (“Uber”) from 2015 to 2017. When he began at Uber, Sullivan’s reputation was that of a “worldclass” cybersecurity expert, with a stint as an Assistant U.S. Attorney and several years of private-sector leadership experience under his belt. This case arose from choices Sullivan made as Uber’s CSO in the wake of a major data breach—specifically, his efforts to cover up that breach, even as Uber underwent investigation by the Federal Trade Commission (“FTC”) into the company’s data security practices.

When the breach and its cover-up came to light after having remained hidden for over a year, the government brought criminal charges against Sullivan. A jury convicted him of obstruction of justice and misprision of a felony. On appeal, Sullivan challenges several jury instructions, the sufficiency of the evidence, and an evidentiary ruling. We affirm.

The defendant had been hired after a 2014 breach; a second breach took place on his watch

Despite the similarities between the 2016 incident and the 2014 incident that the FTC was already investigating, no one at Uber informed the FTC of this new breach. Instead, unbeknownst to federal officials, Sullivan and a group of Uber staffers decided to track down the hackers and pressure them into signing a non-disclosure agreement (“NDA”) that purported to re-characterize the hack as “research” into “vulnerabilities” under Uber’s Bug Bounty Program. Through bug bounty programs, companies solicit and reward external security researchers’ discovery and disclosure of their systems’ vulnerabilities. See Jasmine Arooni, Debugging the System: Reforming Vulnerability Disclosure Programs in the Private Sector, 73 Fed. Comm. L.J. 443, 448–50 (2021). In ostensible exercise of the Bug Bounty Program, Uber paid the hackers $100,000 in exchange for their signatures on an NDA and an agreement to delete the downloaded data. Sullivan was involved in drafting the NDA and ultimately informed Travis Kalanick, then Uber’s Chief Executive Officer, that the hackers had signed the “contract.” Sullivan did not inform Uber’s general counsel of these developments, despite telling other employees to the contrary.

Sullivan also did not correct old statements, and instead signed off on new statements, to the FTC that Uber’s stores of private data on AWS were encrypted, even though the breach had exposed the fact that some of this data was unencrypted. Sullivan did so despite his and his team’s awareness that he “was just deposed on this specific topic” and that news of the breach would “play very badly based on previous assertions” to the FTC about data encryption. In the fall of 2017, Uber hired a new CEO, Dara Khosrowshahi. Soon after, Sullivan informed Khosrowshahi of the hack, but he omitted and misrepresented key details: He falsely stated that no data had been downloaded; mischaracterized the timing of the payment to the hackers; and omitted the magnitude of the breach and the amount of money paid to resolve it. When Khosrowshahi discovered the truth, he fired Sullivan and publicly disclosed the breach.

Upon learning of the breach, the FTC revised its complaint against Uber, withdrew acceptance of its original consent agreement with Uber, and prepared a new consent agreement that would impose additional reporting obligations on Uber. The revised complaint specifically referenced the 2016 data breach and the state of Uber’s data security as of November 2016.

Meanwhile, federal prosecutors brought felony charges against one of the hackers, Vasile Mereacre, for violating the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. In 2019, Mereacre pled guilty. Criminal charges were also brought against Sullivan. Sullivan was then tried and convicted for obstruction of justice and misprision of a felony. After sentencing, Sullivan moved for a judgment of acquittal or a new trial on the grounds that the district court erred in formulating the jury instructions and in admitting Mereacre’s guilty plea into evidence; and that the evidence of his conviction was insufficient as a matter of law. The court denied his motion. We have jurisdiction under 28 U.S.C. § 1291.

Conclusion

The jury’s verdict in this case underscores the importance of transparency even in failure situations— especially when such failures are the subject of federal investigation. The verdict is not tainted by any of the claimed instructional or evidentiary errors, nor can it be overturned for insufficiency of the evidence. We affirm the district court in all relevant respects.

The oral argument is linked here. (Mike Frisch)

Posted in:
Current Affairs