Cybersecurity and Particular person Legal responsibility: ‘U.S. v. Sullivan’ and the Criminalization of a Cyber Assault Response

Cybersecurity and Particular person Legal responsibility: ‘U.S. v. Sullivan’ and the Criminalization of a Cyber Assault Response

Cyberattacks, knowledge breaches, ransomware—these at the moment are the stuff of company and boardroom dialogue.

Cyberattacks, knowledge breaches, ransomware—these at the moment are the stuff of company and boardroom dialogue. Hardly a day goes by with no reminder of the centrality of cybersecurity to enterprise and authorities. In considered one of many current headlines, the nation’s largest oil and gasoline pipeline system, Colonial Pipeline, was the goal of a cyberattack in 2021 and a requirement for a $4.4 million ransom, which was paid with the help of federal authorities. Conflict within the Ukraine has heightened already intense concern concerning the vulnerability of crucial infrastructure to cyberattacks.

So far, cybersecurity has usually been seen as an organizational accountability, and knowledge breaches equally have been handled as organizational weaknesses or failures. States have enacted legal guidelines that require organizations to report incidents of information theft “expeditiously” to state authorities and people adversely affected. As well as, public firms are required to reveal details about knowledge breaches when such info is materials to traders.

In opposition to this backdrop of organizational accountability, the Division of Justice has introduced a noteworthy legal case in opposition to a person for his private response to a company knowledge breach. In United States v. Sullivan, Case No. 3:20-cr-00337-WHO (N.D. Cal.), the defendant, a former worker of Uber Applied sciences (Uber), has been charged with wire fraud and different offenses that come up from his dealing with of a ransomware assault in opposition to Uber in 2016. Whereas Uber settled potential civil fees with state attorneys basic and the Federal Commerce Fee (FTC), Uber was not charged criminally.

On this article, we start with an outline of the occasions underlying the costs in Sullivan after which focus on the theories of prosecution and protection. Subsequent, we flip to the current regulatory framework for knowledge breach reporting and contemplate the affect of recent guidelines—most notably, the SEC’s current proposed regulation on cyber incident disclosure. We conclude with observations concerning the prospect of particular person legal responsibility on this quickly evolving and very important space of the legislation.

‘Sullivan’ Background

The occasions underlying the Sullivan prosecution started in September 2014, when Uber suffered an information breach that resulted within the theft of private info for roughly 50,000 drivers (the 2014 Breach). In February 2015, Uber reported the 2014 Breach to the FTC, which then launched an investigation into Uber’s knowledge safety practices. Shortly earlier than the FTC investigation started, Sullivan grew to become Uber’s Chief Safety Officer (CSO), and in that capability he assisted with Uber’s responses to the FTC investigation. The info set forth beneath are primarily based on allegations in a legal grievance filed in opposition to Sullivan in August 2020.

On Nov. 14, 2016, whereas the FTC investigation was pending, Sullivan found that Uber’s cyber defenses had once more been breached, and that hackers had obtained details about roughly 600,000 drivers (the 2016 Breach)—greater than 10 occasions the variety of drivers affected by the 2014 Breach. Inside 24 hours, Sullivan mentioned the breach with Uber’s then CEO, Travis Kalanick. Over the subsequent month, Sullivan organized a fee of $100,000 to the hackers beneath Uber’s “bug bounty” program on the situation that the hackers signal non-disclosure agreements (NDAs).

Uber’s bug bounty program supplied cash to people who introduced knowledge safety vulnerabilities to its consideration. In line with DOJ, this system was not meant to reward somebody who truly accessed or obtained delicate knowledge, and a reward was not usually conditioned on signing an NDA. The legal grievance alleged that the hackers, in truth, had obtained delicate knowledge, and that the NDAs falsely represented that that they had not.

In line with the legal grievance, Sullivan didn’t report the 2016 Breach to the FTC and didn’t elevate the 2016 Breach once more with Uber administration till September 2017, when he was requested to temporary Uber’s new CEO on the 2016 Breach. Sullivan reportedly indicated that the bug bounty fee had been made solely after Uber realized the hackers’ true id and didn’t point out that the hackers had truly taken Uber drivers’ delicate knowledge. After additional investigation, Uber realized the total extent of the 2016 Breach and in the end disclosed it to the FTC and the general public in November 2017, after which fired Sullivan.

‘Sullivan’ Prosecution

In September 2020, a grand jury within the Northern District of California returned an indictment in opposition to Sullivan which charged him with obstruction of administrative proceedings, in violation of 18 U.S.C. §1505; and misprision of a felony, in violation of 18 U.S.C. §4. Within the authorities’s view, Sullivan knew the 2016 Breach was related to the FTC’s investigation of the 2014 Breach, however willfully did not report it to the FTC and took steps to stop its discovery.

In a December 2021 superseding indictment, the federal government added fees of wire fraud, in violation of 18 U.S.C. §1343. In line with the federal government, Sullivan made false and deceptive statements with the intent to deprive Uber drivers of their authorized proper to notification beneath California legislation, and that such notification would have been materials to an Uber driver’s determination whether or not to proceed to pay Uber’s “Service Charge.” In help of this cost, the superseding indictment alleges that Sullivan sought to hide the 2016 Breach by, amongst different issues, falsely characterizing funds to the hackers as authentic funds beneath the bug bounty program, and orchestrating false and deceptive NDAs.

Sullivan pled not responsible and lately moved to dismiss the wire fraud fees. Within the protection’s view, Uber made Sullivan the fall-guy for the 2016 Breach to “burnish the picture of its new CEO” and deflect from Uber’s company accountability for the response to the 2016 Breach. The protection denies that Sullivan hid info from Uber and factors to data of the 2016 Breach on the a part of numerous members of Uber’s authorized division and administration.

Sullivan has taken purpose at what he argues is an improper concept of wire fraud. Sullivan’s major argument is that Uber’s continued receipt of service charges from affected drivers, the cash or property allegedly at subject, was not more than an “incidental byproduct” of the charged scheme to hide the 2016 Breach and definitely not the object of the scheme, as required by Kelly v. United States, 140 S. Ct. 1565 (2020). Two of Sullivan’s different arguments are noteworthy. He contends that the wire fraud fees “violate the convergence precept of United States v. Lew, 875 F.second 219 (ninth Cir. 1989)” to the extent they depend upon misrepresentations that he made to Uber’s CEO or outdoors counsel as a result of they “weren’t among the many individuals from whom Sullivan allegedly meant to proceed receiving cash or property,” i.e., the drivers. As well as, Sullivan contends {that a} fraud cost premised on a failure to make a disclosure beneath California legislation would run afoul of “federalism rules” by reworking “virtually any violation of a state knowledge breach notification legislation right into a federal felony.”

In its opposition to Sullivan’s movement to dismiss, the federal government countered that Uber’s receipt of service charges was “on the heart” of Sullivan’s plan, and that the protection was elevating a difficulty of intent which might not be selected a movement to dismiss. The federal government additionally argued that the costs don’t violate Lew’s “convergence precept” as a result of Sullivan didn’t must misrepresent something on to the drivers as long as misrepresentations have been made to them as “half of a bigger scheme” beneath United States v. Ali, 620 F.3d 1062 (ninth Cir. 2010). Lastly, the federal government pointed to circumstances by which fraud fees primarily based on omissions have been upheld beneath comparable and even much less compelling circumstances than these within the prompt case.

Regulatory Surroundings

The prosecution of Sullivan cuts in opposition to the grain of prevailing regulation. State knowledge breach reporting legal guidelines impose duties on organizations, not people. See, e.g., Information Breach Notification Legal guidelines by State, IT Governance. The identical is true beneath federal legislation. At current, laws issued by the FTC and the Division of Well being and Human Companies require organizations that acquire confidential medical info to report knowledge breaches. Extra usually, the FTC has issued steering that organizations ought to notify affected events and legislation enforcement promptly following an information breach. Latest remarks from FTC Chair Lina Khan recommend that extra formal regulatory motion could also be coming. See Lina M. Khan, Chair, Remarks as Ready for Supply at IAPP World Privateness Summit 2022 (April 11, 2022). In 2011 and 2018, the SEC issued steering to public firms concerning the disclosure of cybersecurity incidents and dangers. This steering derives from a public firm’s obligation to report materials info. So far, the attain of federal legislation is proscribed and doesn’t set up complete reporting guidelines on organizations, a lot much less on people.

The reporting framework for public firms could change considerably if proposed SEC laws, issued on March 9, 2022, are adopted in one thing like their current kind. The proposal addresses public firm disclosures associated to firms’ cybersecurity dangers and incidents. See Cybersecurity Threat Administration, Technique, Governance, and Incident Disclosure, 87 FR 16590 (proposed March 9, 2022). The proposed rule would require disclosure of a cybersecurity incident inside 4 enterprise days of a willpower that it’s materials. Different proposals would mandate periodic stories concerning an issuer’s insurance policies and procedures to determine and handle cybersecurity dangers. On this latter level, firms would wish to report whether or not the corporate has designated a chief info safety officer (CISO) in addition to the related cybersecurity expertise of the CISO and any members of the board. See 87 FR at 16600 (proposed).

In mild of its significance and breadth, the proposed rule will doubtless appeal to a big variety of feedback. Critics could construct on a sharply worded dissent filed by Commissioner Hester M. Pierce, which took subject with the proposal’s “unprecedented micromanagement” of company administration and administrators of their dealing with of cybersecurity. See Hester M. Pierce, Dissenting Assertion on Cybersecurity Threat Administration, Technique, Governance, and Incident Disclosure Proposal, SEC (March 9, 2022).

Barely every week after issuance of the proposed Cybersecurity laws, President Biden signed into legislation the Cyber Incident Reporting for Important Infrastructure Act of 2022, H.R. 2471, 116th Cong. (CIRCI). CIRCI requires entities to report (1) any “substantial” cyber incidents no later than 72 hours after discovery or (2) any ransomware funds made on account of a digital assault in opposition to crucial infrastructure inside 24 hours after the fee is made. H.R. 2471 §§2242(a)(1)(A), 2242(a)(2)(A). The entities coated by the legislation haven’t but been decided, however CIRCI cites Presidential Coverage Directive 21’s broad definition of “an entity in a crucial infrastructure sector.” H.R. 2471 §2240(5).

Each CIRCI and the SEC’s proposed rule would impose detailed necessities relatively than go away key choices to the judgment of organizations primarily based on basic requirements corresponding to materiality. Considerably, neither the brand new legislation nor proposed laws (if adopted) would impose legal responsibility on people like Sullivan, besides, maybe, as a secondary actor beneath the securities legal guidelines in sure conditions.


In current pronouncements, DOJ has made it clear that the prosecution of white-collar offenses, notably particular person offenders, is a excessive precedence of the current administration. Sullivan was initially charged within the Trump Administration, and wire fraud fees have been added in a superseding indictment within the Biden Administration. On this case, what stands out just isn’t a lot a change of administration however, relatively, whether or not the Sullivan case signifies an intention to carry people accountable for perceived failings in a corporation’s response to a cyber incident. This intention is mirrored, particularly, by the current addition of wire fraud fees which, if upheld, may very well be the premise for charging many different people whose response to a cyber incident could be discovered poor.

Cyber incidents are difficult to any group; they require gathering info beneath nice stress, assessing the injury, containing the injury to the group’s enterprise—all whereas making an attempt to adjust to the letter and spirit of a number of legal guidelines. On this context, the query of particular person legal responsibility could tackle higher significance as the principles governing cyber incidents develop into an increasing number of particular and demanding.

Jonathan S. Sack is a member of Morvillo Abramowitz Grand Iason & Anello P.C. and a former chief of the legal division within the U.S. Legal professional’s Workplace for the Jap District of New York. Christopher M. Hurley is an affiliate on the agency.