Individual Criminal Liability for Failure to Disclose Data Breach Establishes a New Level of Risk for Companies and Executives
A version of this insight was published in Law360, September 18, 2020
General Counsel and in-house legal departments have long struggled with articulating the risk of and determining the appropriate response to breaches of the company network and the potential exposure of confidential information about employees and third parties. It’s rarely a simple question. Even defining a breach is not a straightforward task. And, decisions about whether to disclose, what to disclose, and how soon to disclose are often intertwined with one another and hampered by incomplete and emerging facts. Disclosing “everything” to everybody is not realistic or advisable. General Counsel know this is an area where being second guessed goes with the territory. But until now, criminal prosecution of individual company executives was not one of the expected consequences of not having disclosed an issue. After the recently announced felony charges against a former Uber executive for failing to inform the FTC of a breach, General Counsel should now consider this disturbing possibility and how to mitigate this risk.
The criminal charges that made headlines last week involved Uber Technologies Inc. (“Uber”). Both Uber and its former CEO Travis Kalanick have been frequent subjects of ethics and compliance related criticism. However, in what began as a potential “man bites dog” narrative, Uber was the initial victim of this misconduct. In November 2016, they were contacted by cyber-attackers who claimed they had breached Uber’s network, stolen the personal data of 57 million of its users and drivers, and were now demanding a six-figure payment from Uber. Of course, the dog does eventually bite the man, and last week, federal prosecutors filed a criminal complaint in the Northern District of California against former Uber executive Joseph Sullivan in connection with his alleged efforts to cover up the 2016 data breach.1
Sullivan was Uber’s chief security officer and deputy general counsel2 and according to the complaint, was directly involved and “intimately familiar with the nature and scope” of the Federal Trade Commission’s (“FTC”) investigation of Uber for a different and much smaller breach suffered in 2014.3 Uber had self-disclosed that 2014 breach and cooperated with the FTC’s discovery demands. Sullivan had personally given sworn testimony to the FTC about the facts and circumstances of the prior breach and the measures Uber had taken in response.
In November 2016, ten days after providing the sworn testimony to the FTC in connection with the 2014 breach, Mr. Sullivan learned of a subsequent and much larger breach.
The complaint alleges that instead of promptly reporting it to the FTC, Mr. Sullivan directed that the existence of the breach be kept “tightly controlled” internally due to the “extremely sensitive” nature of the materials subject to the breach. The cyber-attackers held the data for ransom and demanded a six-figure payout. It is not per se illegal for companies to pay ransom demands. And, like many large technology companies, Uber had a “bug bounty” program by which third parties are rewarded for finding security gaps and product defects. Sullivan and then CEO Kalanick used the bounty program to pay the $100,000 ransom via bitcoin. As a condition of the payment, Sullivan also allegedly demanded the cyber-attackers execute non-disclosure agreements (“NDAs”) forbidding disclosure of the breach and related conversations, and reciting (contrary to the cyber-attackers’ claims) that the cyber-attackers had not obtained or stored any data. The criminal complaint emphasized that the $100,000 payout was ten times the maximum of Uber’s then-existing bug bounty program and that Sullivan allegedly knew the cyber-attackers had in fact obtained or stored data.
Meanwhile, Mr. Sullivan continued to participate in the FTC’s investigation of the 2014 breach and, in April 2017, approved a draft letter to the FTC aimed at resolving the investigation. The letter’s cover email represented that the Company had exhibited “exemplary” cooperation for the previous 28 months, voluntarily provided “exhaustive information to staff,” and the “data security incidents at issue reflect no misdirected priorities, no failure to appreciate risks, and no lack of security knowledge or care.” The complaint does not allege that Sullivan ever represented that there had not been any similar or subsequent data breaches, and the complaint does not assert that the FTC had even asked Sullivan or anyone else at Uber in the course of the 2014 breach investigation if there had been any other similar or subsequent data breaches.
The complaint acknowledges that Uber’s payment of the ransom and execution of the NDAs was with the full knowledge and at the direction of Uber’s then CEO. However, the complaint alleges that when a new CEO joined Uber in August 2017, Sullivan initially misled the new CEO by not disclosing all of the details of the 2016 breach. The complaint alleges this initial incomplete briefing to the CEO constituted evidence that Sullivan knew his actions had been improper. Ultimately, in November 2017, and before the 2014 investigation was resolved, Uber voluntarily disclosed the 2016 breach to the FTC, and the 2014 breach resolution concluded with consideration of the subsequent breach.
Novel Legal Issues to Contemplate
- A Duty to Report A Crime? General Counsel will likely have distant law school memories that there is no affirmative duty for a victim or witness to report a crime. That memory and principle is accurate, generally speaking. Most states do not impose such a general duty. However, under Texas law, for example, you can be charged with a Class A misdemeanor for failing to report an offense that resulted in serious bodily injury or death.4 In Ohio, it is illegal to knowingly fail to report a felony.5 While these states are exceptions to the general rule, most states only have mandatory reporting laws requiring certain professions to report crimes. These “mandatory reporters” generally include parents, teachers, school administrators, clergy, medical professionals, therapists, social workers, and others. In some states, however, anyone who believes child abuse is taking place must report it. Under federal law, there are mandatory disclosure rules for “fraud” involving government contractors,6 affirmative disclosure obligations for specific employee safety issues,7 and discharge disclosures under environmental statutes.8 In short, the general rule has too many exceptions to reflexively assume it will apply to any given context. In-house counsel should determine if there are any statutory obligations to report and also consider whether the company has made any factual representations in litigation or investigations or compliance certifications that have suddenly become false or misleading.
- Misprision of Felony, Really? The misprision of felony statute applied in the Sullivan case is a curious choice and particularly as applied against the putative victim of the underlying felony which was the hacking and extortion scheme. Misprision is an often criticized statute based on English common law and it has actually been abolished throughout most common law jurisdictions. But rumors of its demise in the United States Code, where it continues to be applied sporadically, are premature. A representative prosecution under the statute in 2019 involved an Ohio aluminum company that knew of and failed to disclose Occupational Safety and Health Administration violations committed and concealed by its Canadian subsidiary.9 A 2018 misprision prosecution involved charges against an executive of a charity who failed to disclose fraud that he knew was being committed by others in the charity and from which he was benefitting.10 In the Sullivan case, the misprision statute seems to be used as a substitute for a federal data breach notification law. But one reason such a law has not been passed is disagreement among Congress about what “breach” circumstances should require disclosure and to whom, the form of the disclosure, its timing, etc. This application of the misprision statute in this context invites multiple constitutional challenges, including the vagueness doctrine.11
- Acts of “Concealment?” Under the misprision of felony statute, what transforms a permissible failure to report into criminal conduct is an act or acts of concealment.12 In the Sullivan case, it is the nature of the alleged acts of concealment that raise important questions. It does not appear from the complaint that Sullivan or anyone else at Uber lied to the FTC about the existence of the 2016 breach. Indeed, it does not appear from the complaint that the FTC even asked Uber whether there had been any similar or subsequent breaches. So the complaint alleges no overt false statements denying, concealing or misrepresenting the existence of the 2016 breach. And, it does not allege any prior statements that required amendment after the emergence of the new breach. Instead, the alleged acts of concealment were Sullivan’s enforcement of a very restrictive “need to know” approach internally and his use of NDAs with external parties like the cyber-attackers. In-house lawyers will likely find it unsettling to hear these tools and practices be characterized, without qualification, as acts of criminal concealment. Any information within a company that management is not willing to have widely publicized to customers, competitors, investors and others needs to be consciously and affirmatively controlled internally. And the use of NDAs in the corporate environment is beyond ubiquitous. Companies routinely include such terms in agreements with customers, prospective customers, suppliers, current employees, departing employees, litigants, and even mere visitors to the corporate campus. The volume is often so high that many companies even have automated NDA generators for employees to use without bothering the in-house Legal Department. Against this context, it is easy to contemplate circumstances where NDAs were applied to negotiated terminations of employees or executives, or disputes with suppliers or customers, where one or both are alleging that they were cheated or defrauded. One of the key objectives and conditions of any resolution is for the parties to actually resolve the issue and put it behind them. These circumstances are rarely of interest to criminal investigators but could be in theory. Are these instances of criminal concealment? If using an NDA with the generalized intention to keep a vulnerability confidential to avoid commercial embarrassment or disadvantage is construed to include a specific intention to conceal from law enforcement, NDAs will become a greater source of risk.
Action Items for In-House Counsel
- Plan Your Work, Work Your Plan. The fast paced, hectic, highly-charged environment that accompanies a data breach and ransom demand is not the best time to decide policy questions, or who should be informed of the crisis. It is often said that there are two groups of companies ⸺ those who have suffered a data breach and those who don’t know they have suffered a data breach. The risk involved justifies being well-prepared. Companies should take the time before a crisis to establish a critical incident response plan, and among those critical incident variations must be a data breach. All of the contingencies and checklists can be established in advance so that issues and considerations don’t get missed in the urgency of the moment, questions that may require more deliberation can be fully explored, and there will be more time during the crisis for thoughtful consideration.
- Who’s at the Table. General Counsel should ensure that the critical incident response plan defines what events will trigger the plan and identifies the key stakeholders who must be immediately informed of the issue. A corollary is a mandatory escalation policy that defines the most serious issues that require immediate notification of one or more relevant board members. One of the challenges in the Sullivan case is that the existence of the data breach and ransom demand was very closely held and the key decisions were made primarily by just two people. It’s easy to imagine that Uber’s General Counsel and various Board members might have counseled a different approach, but their voices were excluded. Excluding the Board from participation in overseeing key enterprise risks is also a corporate governance question that is receiving growing scrutiny from Delaware courts.
- Bug Bounties and Ransomware. Companies should review their approaches to bug bounties and data ransom demands. Many technology and other companies operate a “bug bounty” program whereby third parties are modestly rewarded for identifying security and other defects in networks and/or products. Almost all bug payments involve some restrictions on disclosure (e.g., an NDA). Some programs permit the “researcher” to brag blog about their discovery but only after it has been patched. Some companies reward the researcher but do not allow their discovered defects to be publicized. Most bugs do not involve criminal conduct, but ransomware demands invariably do. First, companies should reduce their vulnerability to ransomware through measures such as managed security services and offsite backups. However, companies should also anticipate the issue and the utility of notifying law enforcement. It is not illegal to pay a ransomware demand. But under the theory of the complaint in Sullivan, it might be illegal to not report the ransom demand. Where the explicit or implicit purpose of the ransom payment is to stop the cyber-attackers from publicly disclosing that your company was hacked, companies should consider if it is advisable to notify the FBI even if the notification to them of the breach and ransom payment is after the fact.
- Non-Disclosure Agreements. The use of NDAs in settlement agreements came under great scrutiny as part of the “Me Too” movement, where they were seen as a tool that helped cover up and perpetuate continuing misconduct. Several companies resolved to discontinue their use in certain employment contexts. No wholesale elimination of their use seems possible or reasonable. However, the risk remains that a prosecutor could construe the purpose of an NDA as intending to obstruct law enforcement. To partially mitigate this risk, many NDAs in the employment context explicitly make clear that the terms do not prohibit the parties from responding to direct inquiries from law enforcement. In-house counsel should review and modify their standard NDA terms to ensure their intent could not be misconstrued.
- Assess Your Duty to Disclose. We have pointed out that the general principle that a company or person does not have a duty to report a crime is actually rife with exceptions. In the data security context, affirmative breach notification obligations abound. These obligations, which sometimes conflict, can vary based on factors such as the location of the affected individuals or nature of the breached data. In the Sullivan case, the government implies the defendant and the company had a greater burden to disclose because of the then-ongoing FTC investigation. In Noble, the misprision of felony charges were strengthened by the fact that the charity was simultaneously submitting compliance certifications attesting to the absence of various issues like fraud. Companies, especially government contractors and public companies, are constantly making filings and representations in different venues and the potential for incompatible representations grows. Any decision to not disclose a particular circumstance or event should be made with complete situational awareness to ensure that affirmative representations to the contrary have not already been made.
- In–house Lawyer Jeopardy. In-house counsel should pause to consider that the defendant here was not just the chief security officer but also an in-house lawyer. In-house counsel recognize how intertwined they are with decisions about data breaches specifically, voluntary disclosure decisions and, of course, the ubiquitous NDA usage. Counsel should remind themselves and their internal stakeholders that the perceived security of the attorney-client privilege can be tenuous in these circumstances. Even if validly applied and carefully protected in a particular context, it can be pierced by the crime-fraud exception. The privilege also belongs to the corporation and it can be readily waived by new management. These situations can readily evolve into a situation where executives and in-house counsel are pointing the finger at one another about what was disclosed or advised.
1 The criminal complaint includes two counts: (1) Obstruction of Justice in violation of 18 U.S.C. § 1505; and (2) Misprision of a Felony in violation of 18 U.S.C. § 4.
2 While not directly revealed in the complaint, it can be expected that Mr. Sullivan’s dual role as a lawyer for Uber raised significant privilege and advice of counsel issues. Mr. Sullivan is also a former Assistant United States Attorney in the Northern District of California, the same office that is prosecuting him.
3 In that breach, an outsider gained access to an unencrypted file that would allow a user to match the names and drivers’ license numbers of 50,000 drivers.
4 See Tex. Trans. Code § 550.021.
6 See 48 C.F.R. §§ 9.406-2(b)(1)(vi), 9.407-2(a)(8).
7 See 15 U.S.C. § 78m–2 (requiring reporting of certain mine safety incidents); see also 29 C.F.R. § 1904.39 (OSHA reporting obligation).
8 See 42 U.S.C. § 9603; see also Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations (Audit Policy), 65 Fed. Reg. 19618 (Apr. 11, 2000)
9 United States v. Extrudex Aluminum, Inc., No. 4:19-cr-00195 (N.D. Ohio 2019).
10 United States v. Noble, No. 6:18-03097-01 (W.D. Mo. 2018).
11 Skilling v. United States, 561 U.S. 358, 404-409 (2010) (discussing a vagueness challenge to the federal honest services fraud statute).
12 In the 9th Circuit, where the Sullivan case is being prosecuted, a violation of 18 U.S.C. § 4 has the following elements: (1) that the principal committed and completed the felony alleged; (2) that the defendant had full knowledge of that fact; (3) that he failed to notify the authorities; and (4) that he took affirmative steps to conceal the crime of the principal. United States v. Olson, 856 F.3d 1216, 1220 (9th Cir. 2017).
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.