In 2016, Joseph Sullivan was chief safety officer (CSO) at Uber when an information breach uncovered the private info of 57 million customers. Earlier this month, after three weeks of trial, Sullivan was discovered responsible of concealing the information breach and obstructing the Federal Commerce Fee’s (FTC) investigation. He now awaits sentencing, the place he faces a most statutory penalty of 5 years in jail for the obstruction cost and a most of three years in jail for the misprision cost (failing to report a felony), together with a $250,000 tremendous for every cost.
This verdict serves as a cautionary story of the private, prison legal responsibility cybersecurity professionals, in-house counsel and different firm executives might face if their actions are deemed to “cowl up” an information breach.
The primary challenge at trial was whether or not Sullivan paid a bug bounty or a ransom. Firms typically flip to crowdsourcing vulnerabilities of their programs by bug bounty applications that incentivize safety researchers to search out vulnerabilities in trade for a financial reward. In actual fact, the FTC alleged in a 2022 enforcement motion towards CafePress that the corporate failed to offer affordable safety as a result of it “did not implement a course of for receiving and addressing safety vulnerability stories from third-party researchers.”
Bug bounty applications can go awry if there’s disagreement between the researcher and firm regarding the validity of the bug. To show the vulnerability exists, safety researchers might exploit the vulnerability, maintain the private knowledge hostage, and demand the cost they really feel entitled to — which type of seems like a ransom. The Division of Justice (DOJ) raised related factors round when good-faith analysis turns into malicious acts in its new coverage on Laptop Fraud and Abuse Act prosecutions. The excellence is essential as a result of a malicious actor exfiltrating knowledge is definitely an information breach, which is required to be reported to the FTC.
In Sullivan, the DOJ argued that the CSO paid malicious hackers a big sum of cash with the intention of disguising the information breach as a bug bounty to keep away from FTC reporting obligations. The DOJ mentioned that Sullivan executed a nondisclosure settlement (NDA) with the hackers to cowl up the incident, slightly than within the regular course of the bug bounty program, wherein NDAs are frequent to forestall the researcher from publicizing the vulnerability earlier than it’s patched.
In closing arguments, Sullivan’s lawyer challenged the notion of it being a cover-up by arguing that the blame lay with the quite a few executives who allegedly knew concerning the breach, in addition to Uber’s authorized crew, which allegedly failed to tell the FTC.
Cybersecurity professionals watched this trial intently provided that CSOs typically don’t make the choice of whether or not to report an incident to the FTC, and it appears unlikely {that a} CSO would have made the unilateral resolution to execute an NDA with out consulting the authorized division. Finally, nevertheless, proof of how the safety crew responded to the breach, together with inner paperwork and several other NDAs, sealed the responsible verdict.
This verdict units precedent for a way the DOJ plans to answer related incidents going ahead. After the decision, the federal prosecutor said, “We won’t tolerate concealment of vital info from the general public by company executives extra excited about defending their fame and their employers than defending customers.”
Cybersecurity professionals ought to pay shut consideration as artistic options to keep away from breach reporting might spell private legal responsibility. As such, listed here are sensible suggestions for guaranteeing that groups are defending the corporate with out exposing themselves to private legal responsibility:
- Successfully and precisely doc the briefing of the C-suite, board members and authorized crew on any cybersecurity points. Preserving stakeholders knowledgeable of precise and suspected incidents ensures that selections are made collectively and in the perfect curiosity of the corporate. By documenting these briefings, discussions and selections, people can shield themselves and assist within the documentation efforts required by a coherent incident response plan.
- Keep an in depth, correct and clear incident response plan. When you have learn every other insights we now have revealed, you will notice a constant theme round documentation. Documentation is the linchpin of incident response. The power to tug up notes from the assembly the place the board was knowledgeable of an incident may help absolve people of prison legal responsibility. Consequently, this info might develop into discoverable throughout any litigation.
- Keep in mind that communication about any cybersecurity incidents might expose a person to prison legal responsibility.
Write emails and communications as if a regulator will learn them – as a result of they’ll. An e mail saying “why don’t we simply say this was a part of the bug bounty program” is the smoking gun regulators are on the lookout for.
- Stay cautious about facilitating a cost of a bug bounty or ransom. The crux of this case is the cost to hackers and the nondisclosure settlement. Firms ought to keep clear, detailed pointers and procedures for working any vulnerability disclosure applications like a bug bounty program. Moreover, the authorized crew should concentrate on the nuances of bug bounty applications and perceive when overreporting could also be within the firm’s finest curiosity.
Parker Poe regulation clerk Alexandria Hill additionally contributed to this text.
