The InfoSec world has been atwitter over the indictment of former Uber CSO (and current Cloudflare CISO) Joe Sullivan on criminal charges related to the failure to report to the FTC a massive data breach involving millions of personal records stolen from the ride sharing service. The allegations in the complaint are that the Federal Trade Commission was investigating a 2014 breach at Uber, and Sullivan, a former Assistant U.S. Attorney, was handling the company’s response to the FTC investigation of that breach. In November 2016 Sullivan learned of another data breach which “had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers.” The complaint asserts that Sullivan “engaged in a scheme to withhold and conceal from the FTC” the fact that the 2016 hack occurred, and its scope, that Sullivan “paid off” the hackers to not disclose the hack (and used the company’s “bug bounty” program to do so) and that Sullivan concealed information about the hack from the company’s General Counsel and incoming CEO.
The case is causing great consternation in the InfoSec community partly because it is the first instance in which a CSO or CISO has been personally held responsible (other than by firing) for a data breach response, and the first time that criminal sanctions of any kind have been sought against the corporate victim of a data breach for handling (mishandling) the data breach itself.
A few observations — some legal, some not.
First, there is little doubt that Uber as an entity and Sullivan as an individual mishandled the 2016 data breach. Once you learn that PII or other protected information has been “accessed without authorization” you have to disclose that breach either to the data subjects, to certain attorney’s general, or both. Second, there is little doubt that you don’t pay a hacker to keep a data breach silent. It’s not good policy, it looks bad, it won’t work, and it is against public policy. It is important to note that the indictment against Sullivan is NOT for failing to report the data breach, but for taking affirmative steps to conceal it.
Data Breach Response
There are three ways to respond to a data breach. The wrong way, the very wrong way, and the way that will land your CSO in jail. I often say that there is no RIGHT way to respond to a data breach — the role of the CSO, CIO, CISO, General Counsel, etc., is to find the least wrong way to respond. What you don’t want to do is to obstruct justice. That would be bad.
In the Uber case, the government alleges that Sullivan, through Uber’s “bug bounty” program, paid the hackers $100,000 to keep quiet about the data breach, partly because Uber was, at the time, in the process of negotiating a settlement with the FTC over a previous data breach, and did not want the FTC to know that whatever “preventative measures” they were claiming to have taken as a result of the prior breach simply did not work.
Whenever something “bad” happens within a company — whether it is a systematic outage, a dDOS attack, a ransomware attack, malware, phishing attacks, theft of trade secrets, extortion, revenge porn or doxing against corporate executives — there is an understandable desire to ensure that the “bad” things don’t become public. Where there is a data breach involving certain kinds of personal information, various state and federal laws mandate notification. But a whole host of other cybercrimes can be and are perpetrated against a company without a legal requirement of notification. A company may choose to pay a ransom in a ransomware situation not only to get access to their data back, but also to protect their reputation and ensure that their customers don’t learn of the incident. There is a natural and understandable reluctance on the part of corporate crime victims to report the fact that they have been the victim of a crime, and to admit their own culpability or failure to prevent the crime from occurring. Whether or not to report an incident — whether a data breach, a malware attack, or other InfoSec incident — ultimately lies with management, advised by CISO, CIO, CSO and, of course inside and outside counsel.
Who’s Job Is It To Report?
Sullivan, through counsel, has asserted that the ultimate responsibility for whether or not to report the 2016 breach lies not with the CIO, but with the General Counsel on whom the duty of regulatory compliance falls. Maybe. First, as part of your incident response plan, you need to make that determination in advance. Second, for that plan to work, you need to have open and truthful communications between all parties involved, where they disclose what they know (and what they did) and what they don’t know about the incident. Sullivan isn’t responsible for the fact that the General Counsel didn’t disclose the breach unless Sullivan provided inaccurate or misleading information that lead the GC to conclude that a breach disclosure was not required. And also whether the GC authorized the payment to the hackers, and whether at the time the GC knew or should have known that the payment was not a “bug bounty” but was rather “hush money.” The normal bug bounty payment topped off at $10K. The hackers were paid $100,000. We will wait to see what the evidence is. The complaint seems to suggest that, while the General Counsel was in the dark, the former CEO of Uber and Sullivan exchanged notes about the incident, suggesting that the former CEO may have known.
Is It A Crime?
It is important to stress that, while the data breach disclosure laws require disclosure of certain data breaches, there do not appear to be any criminal penalties for failure to report. But Sullivan is not charged with merely failing to report a data breach. Sullivan is charged with, among other things, “misprison of a felony” – a concept that caused first year criminal law students to shudder in recognition. The federal statute, 18 USC 4 makes it a crime for anyone with “knowledge of the actual commission of a felony … [to] conceal[] and ..not as soon as possible make known the same to some judge or other person in civil or military authority.” As the 9th Circuit federal court recently explained, the elements of the crime are “(1) that the principal [in this case the hackers] . . . committed and completed the felony alleged [violation of the CFAA]; (2) that the defendant [Sullivan] had full knowledge of that fact; (3) that he failed to notify the authorities; and (4) that he took affirmative steps to conceal the crime of the principal [hackers].” Also, the government would have to show that Sullivan knew that the hacking was a felony. Sullivan was a former Assistant United States Attorney. I think the government might be able to prove that he knew that hacking and stealing millions of personal records was a felony. AmIRite?
The prospect of CSO’s and CISO’s going to jail for “not reporting” security incidents is scary. Companies are victims of felony computer “hacks,” attempted hacks, dDOS attacks, ransomware and attempted ransomware attacks, people “exceeding the scope” of their authorization to use computers and computer resources, violations of Terms of Service and Terms of Use a few thousand times a day. Each of these “attacks” and attempted attacks are felonies, and companies have “actual knowledge” of the commission of these felonies. They almost never report them.
Now the federal misprison statute does not mandate reporting of crimes — at least not technically. It punishes “concealing AND not reporting,” although what kinds of acts constitute “concealing” a crime is not clear. Other Courts have made it clear that, under the misprison statute, the defendant must both not report and take some affirmative act to “conceal” the crime. Merely not reporting a crime is not sufficient. As another court explained, “To be convicted of a misprison of a felony offense, the defendant must commit some affirmative act to prevent discovery of the earlier felony. Such conduct necessarily entails the act of intentionally giving a false impression, i.e., the false impression that the earlier felony never occurred.” While Uber clearly created the false impression that the earlier felony never occurred, the government would have to show that Sullivan personally did so.
The Sullivan case represents the first time this statute has been used to prosecute the victim of a cyber-attack for not reporting the attack because he concealed it through the NDA. Remember, the misprison statute applies not only to crimes for which there is a duty to report (e.g., data breaches) but to any felony committed by or against the company. Theoretically, any affirmative act to “conceal” the fact that a company has been the victim of a cybercrime (like an email to the CISO saying ‘let’s keep this close to the vest?’) could be the basis for an indictment? The legal complaint against Sullivan is chock full of allegations of conduct which are pretty normal for a CSO responding to an incident — and indeed are the kinds of recommendations any competent counsel would encourage of their client. The complaint notes that “Sullivan instructed his team to keep knowledge of the 2016 Breach tightly controlled. Witnesses reported Sullivan was visibly shaken by the events. A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out. Sullivan instructed the team that knowledge of the breach was to be disclosed outside the security team only on a need-to-know basis…” That’s pretty much standard fare for a data breach. Indeed, most lawyers handling data breaches go further — cloaking data breach investigations in at least presumptive attorney-client privilege, precisely to prevent discovery of the breach! Is that an affirmative act of “concealment” under the misprison statute? Doubtful, but you never know.
Sullivan is also charged with violating the federal obstruction of justice statute, 18 USC 1505 which makes it a crime to “willfully withhold, misrepresent, … conceal, cover up …or by other means falsifies any documentary material, answers to written interrogatories, or oral testimony, which is the subject of such demand [during an investigation or proceeding of a government agency].” The complaint alleges that “Sullivan engaged in a scheme to withhold and conceal from the FTC both the hack itself and the fact that the data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers. When Uber brought in a new CEO in 2017, Sullivan lied to him about the circumstances surrounding that data breach.”
This allegation surrounds Sullivan’s failure to provide information about the 2016 hack to the FTC in connection with its investigation of the 2014 hack. My review of the facts presented in the criminal complaint show that Sullivan clearly did not tell the FTC everything he knew. He never told them about the 2017 hack while they were investigating the 2014 hack, and clearly presented a rosy picture of Uber’s security posture when he knew that they had just been hacked. But is that a willful misrepresentation?
In response to questions posed by the FTC about the 2014 hack, it is alleged that Sullivan participated in Uber’s response that “all new database backup files” had been encrypted since August 2014” which the government asserts was not true, as the 2016 records stolen were not encrypted. Sullivan also “Ok’d” an anodyne response to the FTC in connection with the 2014 investigation indicating that Uber had cooperated and provided information to the FTC, and that “Uber has put in place numerous and extensive additional protections for the data it stores in the S3 datastore, as well as company-wide improvements in credential protection and management and other aspects of data security.”
Essentially, the government is charging that Sullivan, while trying to negotiate the disposition of the 2014 hack, didn’t tell the FTC, “oh, by the way, we still have problems we haven’t fixed, and we just got hacked again.” The indictment essentially charges that Sullivan on behalf of Uber, telling the FTC that Uber had made improvements in its security to prevent the kind of hack that occurred in 2014 essentially misled the FTC’s 2014 investigation. That presumes that, as part of the 2014 hack settlement, Uber had a legal duty to tell the FTC about the hack that occurred AFTER the settlement discussions occurred. While the FTC no doubt would have wanted to have known about the hack, the government would have to show that the affirmative statements that Sullivan made or caused to be made to the FTC were either false or at least misleading.
A Few Observations
It’s important to note that, while breach disclosure laws impose civil and administrative penalties (and FTC enforcement actions, class actions and other remedies including actions for fraud or deceptive or unfair trade practices by State Attorney’s General), they do not themselves impose criminal penalties for not reporting a data breach. Maybe they should. Maybe the will. But they don’t.
Second, it’s not clear that Sullivan’s statements about Uber relating to the FTC investigation of the 2014 hack were actually false. The communications with the FTC spoke about Uber’s security improvements, its cooperation with the investigation, and the fact that the 2014 breach “reflect no misdirected priorities, no failure to appreciate risks, and no lack of security knowledge or care.” Sure, if the FTC had known about the 2017 breach, they probably wouldn’t have settled the 2014 breach, or would have required something much more robust. It’s also clear that Uber and Sullivan did not want the FTC to know about the 2017 breach. But I’m not sure that, as a matter of law, this constitutes “misrepresenting, concealing or falsifying” materials actually produced to the FTC, or that it turns the statements made about the 2014 hack and Uber’s response false. Maybe it does, maybe it doesn’t. That’s why we have juries.
Uber’s Response
As noted above, Uber’s breach response was — shall we say, less than ideal. If the charges are credible, then Sullivan at least failed to notify victims of the breach, and failed to either clearly explain what happened to the General Counsel and others, or failed to insist that a breach disclosure be made. He reportedly went further, and took actions to make sure not only that Uber didn’t disclose the breach, but that the hackers themselves did not tell anyone either. Indeed, the complaint alleges that Sullivan insisted that the — at the time unnamed hackers — sign non-disclosure agreements (“NDAs”) in exchange for the $100,000 bounty payment that would supplement the standard terms of Uber’s bug bounty program. The NDA included a false representation by the hackers that they had not obtained or stored any data during their intrusion, and the payment was made in cryptocurrency under Uber’s bug bounty program. Did I mention that Uber’s response was “not ideal?”
But for other companies trying to deal with the myriad circumstances of data breaches, security incidents, vulnerability disclosures, and reputation management, the Sullivan indictment both muddies the waters and raises the stakes. The short lesson is that you don’t pay hush money when there is a legal duty to report. But any time a company does not report something that might be a felony computer crime (or, as we in the industry call it, “Tuesday”) it runs the risk that affirmative acts to “not report” (as opposed to passive acts of not reporting) might raise the failure to report into misprison. Does a company now have a legal duty to “report and not conceal” attempted hacks? Does a company now have a legal duty to “report and not conceal” activities which constitute exceeding the scope of persons’ authorization to access a computer? Does a company have a duty to “report and not conceal” attempted but unsuccessful dDOS attacks? Botnets? The problem is that any medium to large scale company with an effective monitoring program will have evidence of felony attempts to penetrate dozens or hundreds of times an hour. The goal of the company is to prevent the attacks from being successful. Even when there is an incident and investigation of things like attempted data breaches or more serious offenses, the company’s goal is to prevent harm rather than report offenses. Most companies don’t engage in “active” efforts to “conceal” the incidents, but they don’t want to publicize them either. My recommendation would be to ensure that any substantive decisions about security incidents and reporting be made and coordinated and approved by experienced counsel who is fully informed about the facts (in writing!) Getting a lawyers’ blessing (even if, like Sullivan you are a lawyer) can help keep you out of jail.
The biggest problem here is the ambiguity in the question of what constitutes “concealment” of a computer hack. Remember, despite the fact that Uber’s security program was apparently deficient, and the fact that they did not report the breach of their security to their customers as required, at the end of the day, Uber was a crime victim here. Most of the “misprison” of a felony cases involve people who were involved in the commission of the felony itself, or who harbored or assisted those who committed a felony against someone else. It’s extremely rare to charge a crime victim with a crime. Imagine in a domestic assault case where a man strikes his wife or girlfriend, and she not only does she not report the crime, but tells her friends or co-workers that the bruise on her face was the result of a “fall.” Should the woman be prosecuted for “concealing and not reporting” the felony assault against her? It’s not that the crime hasn’t occurred, it’s that the application of the statute against a crime victim can be problematic. Not saying that’s what Uber did here, but the law is all about drawing lines and using analogies, right?
For now, the lesson from the Sullivan case is that you don’t pay hush money to hackers to keep them quiet about data breaches you have a legal duty to report. That’s the easy case. Where the exact contours of future cases may lie is, as the Magic 8-ball would say, “situation unclear, ask again later.” But at a minimum, keep your lawyer advised of what you are doing, and get them to approve it. And if your lawyer tells you to do something you think is a crime, get another lawyer. Or at least a second opinion. Nobody has paid me enough money as a lawyer to go to jail for them. At least not yet.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.