In the United States, a Chief Security Officer (CSO) was found guilty of a pair of crimes for concealing from the Federal Trade Commission that his company had suffered a data breach by hackers.
The hackers had subsequently been paid a ransom so that they would not disclose a large amount of personal data pertaining to the company that they had illicitly acquired and to obtain their confidentiality about the incident.
The affair certainly has special circumstances due to both the U.S. legal system and the manner in which the events unfolded; however, it sheds new light on the delicate situation that top management might find itself in when dealing with a data breach and making subsequent decisions. This fact, arguably, represents the first case of criminal prosecution of a company executive for a data breach.
The case concerns a data breach suffered by Uber Technologies Inc. in 2016 but following an earlier one in 2014; the link between the two incidents played an important role in the development of the facts, as will be seen below, and this is the first particularity of the case, to which the following circumstances are added:
1. The defendant and the overlap of two incidents
- The CSO, who was found guilty of the crimes charged against him, independently handled the 2016 incident; therefore, no other Uber executives were implicated in the charges
- The CSO had been delegated to represent the company before the FTC, in the investigation opened by this federal agency to examine the previous incident that occurred in 2014 (far less in scope than the one in 2016), when he was not yet on the company’s staff; on that occasion, the CSO had answered under oath certain questions that were asked by the agency
- The CSO learns of the 2016 incident ten days after his testifying to the FTC, making no mention of it either to top management, albeit with a couple of exceptions (the CEO at the time and a lawyer on his team), or to the FTC with whom, later, a preliminary agreement is reached regarding the 2014 incident
- The CSO learned of the 2016 incident through an email he received from two hackers informing him that they had copied a corporate data base from the cloud platform containing personal data of some 57 million Uber users and car drivers, along with 600,000 drivers’ license records of the latter; having ascertained the merits of the complaint, the CSO initiates negotiations with the hackers aimed at preventing the disclosure of the illicitly acquired information.
2. Negotiation with hackers and payment of ransom
- Having received the then CEO’s authorization – albeit not proven documented in the record, hence his non-incrimination – the CSO obtains from the hackers – whose true identities he initially did not know – the signing of a confidentiality agreement in exchange for the payment of $100,000 in bitcoins and a commitment on their part to keep the incident secret along with the false representation that the hackers had not taken or stored any data through the attack.
3. Dismissal of the CSO and disclosure of the incident
- The new CEO, replacing the previous one, launches an internal corporate investigation in which the CSO reports on the events by omitting that the attack had involved a large amount of Uber users’ personal data and by lying that the hackers were paid only after they were identified; once the truth was established, the CSO was fired along with the lawyer on his team who had knowledge of the facts (who would later obtain immunity from prosecutors and testify against the CSO)
- Uber’s new management decides to publicly disclose the 2016 data breach, even giving formal notice to the FTC.
4. Ascribed crimes and conviction
- The CSO is charged with the crimes of obstruction of justice (having obstructed the FTC’s investigative activities, due to reticence regarding the 2016 incident and as a result of actions taken to obstruct the capture of the hackers) and concealing knowledge that a federal crime had been committed
- The 12 members of the federal jury in the Northern District of California unanimously found both crimes charged against the CSO, who is currently on bail pending sentencing.