C-Suite: Is this Worth Risking My Personal Freedom?
The October 5, 2022, conviction of Uber’s former Chief Security Officer (CSO) Joe Sullivan, ironically a former cybercrimes prosecutor for the U.S. Attorney’s Office, is old news. Sullivan was convicted of obstruction of justice (18 U.S.C. §1503) and deliberate concealment of felony (18 U.S.C. §1001) after failing to report a 2016 data breach incident to the Federal Trade Commission, the State of California, employees, and the affected victims (drivers and riders). While Sullivan awaits sentencing, his conviction presents a new and difficult question for the C-Suite when confronting cyber incidents: Am I willing to risk my personal freedom over cybersecurity?
According to an internal Uber investigation, the hackers (who pled guilty to criminal charges associated with the breach in 2019) purchased a corporate password belonging to a former contractor for Uber on the dark web after the contractor’s devices were compromised. Uber settled the breach claims for all 50 states and Washington D.C. for $148 million in 2018.
Sullivan was not convicted of fraud or violations under the Computer Fraud and Abuse Act. Rather, Sullivan’s defense lost to the obstruction and deliberate concealment charges given his $100,000.00 payment to the hackers to conceal their theft and failing to inform the FTC during their on-going investigation of a 2014 breach.
Corporate entities and their leadership previously enjoyed the protection against actual jail time afforded them by the poor statutory construction of the Computer Fraud and Abuse Act (CFAA) when making “grey” decisions about cyber incidents. Originally passed in 1986 during the Macintosh Plush era, the prosecutable crimes outlined under 18 U.S.C. §1030 almost all require the bad actor to act “knowingly, with the intent to” defraud or extort in undertaking the types of crimes.
CFAA’s language makes it an extremely difficult statute for prosecutors to satisfy as recently demonstrated by the United States Supreme Court’s opinion in Van Buren v. U.S., in which it reversed the conviction of a former law enforcement officer who improperly sold a woman’s license plate information to a third-party. Accordingly, corporate entities and their executives previously relied on the knowledge that civil fines were likely the worst repercussion for unethical behavior concerning cybersecurity.
In September 2021, the Department of Treasury’s Office of Foreign Assets Control (OFAC) updated its Advisory on Potential Sanctions for Facilitating Ransomware Payments, which under “the authority of the International Emergency Economic Powers Act or the Trading with the Enemy Act,” prohibits U.S. persons from engaging in transactions, directly or indirectly with certain individuals or countries such as Cuba, North Korea, and Iran. However, OFAC struggles with obtaining knowledge of actual ransomware payments unless voluntarily reported or leaked. Much like data breach reporting requirements enforced by individual state attorney general’s offices, OFAC largely relies on the self-reporting of cyber incidents by impacted entities. But not too many corporate entities, especially those publicly traded, want to report their own victimization and risk drawing attention to their cybersecurity flaws.
However, Sullivan’s obstruction and, more importantly, concealment convictions, provide future cybercrimes prosecutors with new and interesting precedent by which to criminally pursue corporations and their executives for future misgivings. No longer can businesses and their decisionmakers rest easy knowing fines (and maybe a temporary drop in share price) are the most dangerous repercussion for failure to adhere to data breach regulations. Instead, executives now risk their own personal freedom for failing to fully cooperate with cybersecurity investigations. Money is replaceable, time is not.