“It is a unique case because there was that ongoing FTC investigation,” says Shawn Tuma, a partner within the law firm Spencer Fane who focuses on cybersecurity and data privacy issues. “He had just given sworn testimony and was most definitely under an obligation to further complement and supply relevant information to the FTC. That’s how it really works.”
Tuma, who often works with firms responding to data breaches, says that the more concerning conviction by way of future precedent is the misprision of felony charge. While the prosecution was seemingly motivated primarily by Sullivan’s failure to notify the FTC of the 2016 breach in the course of the agency’s investigation, the misprision charge could create a public perception that it isn’t legal or acceptable to pay ransomware actors or hackers attempting to extort payment to maintain stolen data private.
“These situations are highly charged and CSOs are under immense pressure,” Vance says. “What Sullivan did seems to have succeeded at keeping the info from coming out, so of their minds, they succeeded at protecting user data. But would I personally have done that? I hope not.”
Sullivan told The Recent York Times in a 2018 statement, “I used to be surprised and upset when those that desired to portray Uber in a negative light quickly suggested this was a cover-up.”
The facts of the case are somewhat specific within the sense that Sullivan didn’t simply lead Uber to pay the criminals. His plan also involved presenting the transaction as a bug bounty payout and getting the hackers—who pleaded guilty to perpetrating the breach in October 2019—to sign an NDA. While the FBI has been clear that it doesn’t condone paying hackers off, US law enforcement has generally sent a message that what it values most is being notified and brought into the strategy of breach response. Even the Treasury Department has said that it will possibly be more flexible and lenient about payments to sanctioned entities if victims notify the federal government and cooperate with law enforcement. In some cases, as with the 2021 Colonial Pipeline ransomware attack, officials working with victims have been in a position to trace payments and try and recoup the cash.
“That is the one that offers me probably the most concern, because paying a ransomware attacker may very well be viewed out in the general public as criminal wrongdoing, after which over time that would grow to be a form of default standard,” Tuma says. “Then again, the FBI highly encourages people to report these incidents, and I’ve never had an adversarial experience with working with them personally. There’s a difference between making that payment to the bad guys to purchase their cooperation and saying, ‘We’re going to attempt to make it seem like a bug bounty and have you ever sign an NDA that’s false.’ If you could have an obligation to complement to the FTC, you would give them relevant information, comply with breach notification laws, and take your licks.”
Tuma and Vance each note, though, that the climate within the US for handling data extortion situations and dealing with law enforcement on ransomware investigations has evolved significantly since 2016. For executives tasked with protecting the status and viability of their company—along with defending users—the choices for find out how to respond a number of years ago were much murkier than they are actually. And this will likely be precisely the point of the Justice Department’s effort to prosecute Sullivan.
“Technology firms within the Northern District of California collect and store vast amounts of knowledge from users. We expect those firms to guard that data and to alert customers and appropriate authorities when such data is stolen by hackers,” US attorney Stephanie Hinds said in a press release in regards to the conviction on Wednesday. “Sullivan affirmatively worked to cover the info breach from the Federal Trade Commission and took steps to forestall the hackers from being caught. Where such conduct violates the federal law, it can be prosecuted.”
Sullivan has yet to be sentenced—one other chapter within the saga that security executives will little doubt be watching extremely closely.