On August 20, 2020, the Department of Justice announced that a criminal complaint was filed against the former Chief Security Officer for Uber Technologies, Inc., related to an alleged concealment of a data breach/hack in 2016. See news report here. The criminal complaint charged the Security Officer with two counts — obstruction of justice and misprision of a felony.
The possibility of criminal charges should highlight, at a personal level, the importance of data security, the necessity of timely disclosure and the requirement of open and willing participation with law enforcement and regulators following a data breach. If your business has suffered a data breach, or even a potential data breach, you must consult with attorneys who have deep experience in data security and breach response. Many state laws require issuance of a notice of a data breach within specified deadlines. The deadlines tend to be short. There are serious civil penalties for failing to disclose a data breach. Now, criminal charges are possible too.
The Uber saga began in mid-2014 when Uber suffered a data breach. That breach resulted in the theft by hackers of names and driver’s license numbers for at least 100,000 Uber customers. See CNBC news report here. The Federal Trade Commission (“FTC”) opened an investigation and found that Uber had seriously deficient cybersecurity software, hardware, and protocols. The FTC also found that Uber allowed its drivers to improperly access and use the personal data of its customers. As the article reports, the FTC stated point-blank that Uber “failed its customers.” Uber and the FTC eventually agreed to enter into a 20-year remediation and data security monitoring plan.
However, without telling the FTC or making any sort of timely disclosure, Uber suffered ANOTHER data breach in October 2016. This new data breach occurred while the FTC was still investigating the 2014 breach. It seems that Uber had done little from May 2014 to October 2016 to improve its cybersecurity. As a result, cybercriminals again hacked Uber. This time, the hackers stole personal information for 600,000 Uber drivers and stole personal information, including names, email addresses, and phone numbers, for 57 million Uber customers.
Not only did Uber fail to timely report and/or disclose the October 2016 hack, Uber negotiated with the hackers and paid the hackers $100,000 to conceal the breach. The 2016 breach was finally made public in November 2017.
The recently-filed criminal charges relate to this cover up and concealment and, more particularly, relate to payment to the hackers to keep the data breach from being made public. Through his attorneys, the former Chief Security Officer has denied the charges.
As noted, the possibility of criminal charges raises the personal stakes for those tasked with responding to a cyberattack and/or data breach. The lessons are clear — disclose, remediate, cooperate, and never attempt a coverup.
If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100. We have proven experience with these types of legal issues.