Appeals court affirms criminal conviction for corporate executive's inaccurate Federal Trade Commission data breach disclosures

A federal appeals court has affirmed the conviction of Uber's former Chief Information Security Officer, Joe Sullivan, for making inaccurate data breach disclosures to the Federal Trade Commission(FTC). In 2014, hackers stole data from Uber's network. The FTC launched an investigation into Uber's data security practices and response to the incident, and Sullivan provided the Commission with sworn testimony concerning Uber's cybersecurity posture. Ten days after his testimony, he learned of a second cyberattack that impacted the data of 57 million passengers and drivers. Sullivan negotiated a ransom payment to suppress the stolen data and convinced the hackers to sign nondisclosure agreements. Rather than disclose the breach to the FTC, Sullivan characterized the incident as a bug bounty program. Sullivan's charges focused on the failure to disclose the breach's true nature and his subsequent cover-up efforts. 

Indicting a corporate executive for mishandling a government investigation into a cyberattack is just one way the government is increasing pressure on businesses to comply with data privacy and security laws. Organizations that experience cybersecurity incidents should proceed with caution when responding to state and federal investigations to mitigate additional business risks and civil and criminal liability. 

Attorneys from McDonald Hopkins' national data privacy and cybersecurity practice group are available to counsel business organizations through state and federal investigations into cyberattacks.