On August 20, 2020, the Department of Justice announced that a criminal complaint was filed against the former Chief Security Officer for Uber Technologies, Inc., related to an alleged concealment of a data breach/hack in 2016. See news report here. The criminal complaint charged the Security Officer with two counts — obstruction of justice and misprision of a felony.

The possibility of criminal charges should highlight, at a personal level, the importance of data security, the necessity of timely disclosure and the requirement of open and willing participation with law enforcement and regulators following a data breach. If your business has suffered a data breach, or even a potential data breach, you must consult with attorneys who have deep experience in data security and breach response. Many state laws require issuance of a notice of a data breach within specified deadlines. The deadlines tend to be short. There are serious civil penalties for failing to disclose a data breach. Now, criminal charges are possible too.

The Uber saga began in mid-2014 when Uber suffered a data breach. That breach resulted in the theft by hackers of names and driver’s license numbers for at least 100,000 Uber customers. See CNBC news report here. The Federal Trade Commission (“FTC”) opened an investigation and found that Uber had seriously deficient cybersecurity software, hardware, and protocols. The FTC also found that Uber allowed its drivers to improperly access and use the personal data of its customers. As the article reports, the FTC stated point-blank that Uber “failed its customers.” Uber and the FTC eventually agreed to enter into a 20-year remediation and data security monitoring plan.

However, without telling the FTC or making any sort of timely disclosure, Uber suffered ANOTHER data breach in October 2016. This new data breach occurred while the FTC was still investigating the 2014 breach. It seems that Uber had done little from May 2014 to October 2016 to improve its cybersecurity. As a result, cybercriminals again hacked Uber. This time, the hackers stole personal information for 600,000 Uber drivers and stole personal information, including names, email addresses, and phone numbers, for 57 million Uber customers.

Not only did Uber fail to timely report and/or disclose the October 2016 hack, Uber negotiated with the hackers and paid the hackers $100,000 to conceal the breach. The 2016 breach was finally made public in November 2017.

The recently-filed criminal charges relate to this cover up and concealment and, more particularly, relate to payment to the hackers to keep the data breach from being made public. Through his attorneys, the former Chief Security Officer has denied the charges.

As noted, the possibility of criminal charges raises the personal stakes for those tasked with responding to a cyberattack and/or data breach. The lessons are clear — disclose, remediate, cooperate, and never attempt a coverup.

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100. We have proven experience with these types of legal issues.

The Legal Framework for Data Breach Disclosure

At the time of the 2016 Uber breach, 47 states had enacted data breach notification laws requiring businesses to notify affected individuals and, in many cases, the state attorney general within a specified period after discovering a breach. Most notification deadlines ranged from 30 to 90 days. By the time Uber disclosed the 2016 breach in November 2017—more than a year after the breach occurred—the company was simultaneously in violation of notification requirements in dozens of states. The Federal Trade Commission’s 20-year consent order stemming from the 2014 breach also imposed an independent obligation to cooperate with the FTC and not to misrepresent the company’s data-security practices.

The criminal charges filed against Uber’s former Chief Security Officer, Joseph Sullivan, included obstruction of justice and misprision of a felony under 18 U.S.C. § 4, which requires that a person with knowledge of a felony take affirmative steps to conceal it from authorities. Paying hackers $100,000 disguised as a bug bounty and having them sign nondisclosure agreements qualified as exactly such affirmative concealment. Sullivan was ultimately convicted in October 2022—a landmark outcome that signaled prosecutors would hold individual executives personally responsible for breach cover-ups.

State and Federal Disclosure Obligations

Most state breach-notification statutes apply to any business that owns, licenses, or maintains personal information about residents of that state, regardless of where the business is headquartered. For the 2016 Uber breach, which involved names, email addresses, and phone numbers for 57 million people and driver’s license numbers for 600,000 drivers, practically every state notification statute was triggered.

At the federal level, the FTC’s authority under Section 5 of the FTC Act reaches any security practice it deems unfair or deceptive. The FTC has pursued dozens of enforcement actions against companies for inadequate security, and its prior consent order with Uber created heightened obligations. State attorneys general—particularly in California, New York, and Illinois—have broad independent authority to investigate and assess civil penalties for breach-notification failures.

The Bug Bounty Problem

One dimension of the Uber case that deserves particular attention is the misuse of a bug bounty program. Bug bounty programs are legitimate and widely used cybersecurity tools: companies pay security researchers who responsibly disclose software vulnerabilities before malicious actors exploit them. When used properly, bug bounties reduce systemic security risk.

The Uber case involved paying the hackers—who had already stolen data and were attempting extortion—under the guise of a bug bounty. This transformed what might have been a compliance misstep into a criminal act. Bug bounty payments are appropriate for good-faith disclosure by security researchers, not for extortion payments to criminals who have already exfiltrated data.

Post-Breach Response: A Compliance Roadmap

• Engage data-security counsel immediately upon discovering a potential breach—attorney-client privilege may protect the internal investigation.
• Conduct a forensic analysis to determine what data was accessed, exfiltrated, or exposed.
• Identify all applicable state notification statutes based on the residency of affected individuals.
• Provide required notice to individuals and regulatory authorities within statutory deadlines—do not wait for the investigation to be complete if deadlines are running.
• Preserve all evidence and cooperate fully with law enforcement and regulatory inquiries.
• Never pay extortion demands without first consulting counsel; payments may implicate federal anti-money-laundering and obstruction statutes.
• Remediate the vulnerability that enabled the breach and document remediation efforts contemporaneously.

If your business has experienced a data breach or received a demand from hackers, contact the data security lawyers at Revision Legal at 231-714-0100. We provide counsel from initial incident response through regulatory investigations and litigation.