What Joe Sullivan's Conviction Means and What It Doesn't

Joe Sullivan, Uber’s former chief security officer, was convicted of obstruction of justice and covering up a felony for his actions after his company was hit with a data breach. There was controversy when he was charged with a crime, and I wrote about the case?here?in January. Following the verdict on October 5, many security professionals (among others) seemed outraged.?

Those looking for lessons will find some—and I will suggest a few myself. But first an admonition: It would be easy to draw the wrong conclusions based on a superficial understanding of the facts. Quick summaries often omit the circumstances that made this case so unusual. And the details make all the difference.?

What Was Unusual

Let me start with examples of what I’m talking about.

·??????Sullivan was not only an experienced CSO, he was also a lawyer. In fact, he’d been a prosecutor in the same U.S. attorney’s office that prosecuted him. He worked in the computer hacking and IP unit. After he left, he worked in-house at PayPal as an associate general counsel. When he moved to Facebook, he worked in the same capacity before moving into the chief security officer job there.?

·??????Though Sullivan was not officially functioning as a lawyer at Uber, in some ways he seemed to be playing that role. When the hackers contacted Uber to inform the company that they had stolen the driver’s licenses of 600,000 Uber drivers and personal information of 57 million customers and drivers, Sullivan directed the company’s response.?

·??????The CSO led a small team that not only investigated and confirmed the breach, it also handled negotiations with the hackers. Sullivan instructed the group not to share anything about the event with colleagues, including the company’s lawyers. The only lawyer (other than Sullivan) who was kept in the loop was Craig Clark, who reported to Sullivan rather than to the general counsel. Clark was fired by Uber at the same time that Sullivan was, and Clark was also charged with a crime by the U.S. attorney’s office. (He pleaded guilty and testified against Sullivan.)

·??????One of the reasons Uber seemed so intent on keeping this quiet was that the company had suffered a similar hack in 2014. At the time of the new one, it was close to wrapping up a settlement on the matter with the Federal Trade Commission. Less than two weeks before the 2016 breach, Sullivan had been tapped to give sworn testimony to the commission about the earlier breach (which had happened before he’d arrived). He later continued to communicate about the first breach without saying anything about the second to the FTC, to Uber’s general counsel or to the outside counsel with whom he’d been working on the 2014 breach. Once it all came out, the settlement quickly unraveled.

·??????Sullivan and his colleagues decided to pay the hackers under the company’s bug bounty program. But they failed to follow Uber’s own guidelines. They paid the two hackers ten times the $10,000 the policy suggested as a top fee. And the supposed “white hat”??hackers had not simply reported vulnerabilities to the company; they had already stolen the data. Sullivan agreed to pay what they asked—after he consulted CEO Travis Kalanick—even before he was able to identify them.?

·??????Sullivan had the hackers sign nondisclosure agreements (NDAs), which again suggested that secrecy was the primary goal in the company’s handling of the attack. The use of NDAs was the approach one would expect from a lawyer, not a CSO.?

·??????In 2018, the U.S. Senate’s Commerce, Science and Transportation Committee held a?hearing?on bug bounty programs that focused mostly on Uber’s. John Flynn, Uber’s chief information security officer, defended the concept of these programs. But he did not defend the way Uber handled the 2016 breach. “We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” he testified. The two hackers both?pleaded guilty?that same year, and one testified at Sullivan’s trial that their aim had indeed been extortion.??

·??????The hack remained a closely guarded secret for more than a year. In 2017, Kalanick was forced out after a series of scandals. When Dara Khosrowshahi took over as CEO, he asked Sullivan to brief him on the hack. According to prosecutors, Sullivan had his team write a summary which he then altered by making it sound as though the hackers had gained access to the data but hadn’t stolen it. The new CEO hired outside experts to investigate. When he?publicly reported?what they’d found, Khosrowshahi added that he’d fired Sullivan and Clark.

·?? Finally, there was the damage done. It’s hard to calculate the blow to the company’s reputation simply because there were so many during Kalanick’s tumultuous tenure. But there were clear repercussions, even if some commentators have tried to minimize them. The?criminal complaint?against Sullivan pointed out that the hackers continued to attack other companies after they hit Uber. Had the company reported the hack to law enforcement, the complaint said, “the hacks of multiple additional large tech companies and the theft of the personal data of millions of additional customers and users may have been prevented.” There was also the financial hit the company took. The $100,000 it paid the hackers in Bitcoin was easy to brush aside. But then came the lawsuits. Attorneys general in all 50 states sued Uber based on its failure to comply with state data beach notification laws. The $148 million?settlement the company paid was not quite as easy to ignore.?

Looking for Lessons

Having said all that, Joe Sullivan could not have done what he did alone. The criminal complaint made it clear that he consulted with Kalanick within hours of being informed of the hack, and the CEO specifically told him to go ahead with their plan. Why wasn’t Kalanick charged with a crime? This seems like a legitimate question for law enforcement. (Ironically, even though Sullivan was not supposed to be functioning as a lawyer, it’s possible that if Kalanick were charged he might try to argue an advice-of-counsel defense.)

Sullivan could not have kept this matter a secret by himself. Why was he able to do so? That’s also a good question. It seems likely the people involved knew that Kalanick approved what they were doing, and perhaps that was enough for them. It may also have had to do with the respect his colleagues had for Sullivan. It could be that they deferred to him because he was not only the CSO but a former prosecutor.?

But in the end, it comes down to corporate governance. And this must be seen as a clear demonstration of the company’s failure in this realm.?

It’s hard to imagine a situation in which the general counsel should be kept in the dark about a legal matter—unless the general counsel is suspected of misbehavior and is the target of an investigation. Otherwise, the general counsel’s involvement would seem especially important when the company suffers a second breach just as it is deep in negotiations with the FTC in an effort to resolve the first. It’s particularly important if the CEO or other officers may be involved, because the general counsel’s duty is to the company and its shareholders, not management. And if the matter is serious enough, the general counsel may decide to bring it to the attention of the board of directors—or resign.?

Companies should ensure that all employees know that they can pass along their concerns anonymously to the general counsel through a complaint line that’s always available. This is a widely adopted best practice, and it’s designed to make it harder to maintain the secrecy that criminal activity thrives on. I don’t know whether Uber had such a system, but it would have provided the people who knew about the breach a way to convey it to the office that needed to know.?

Obviously, corporate governance starts at the top. The CEO and the board of directors need to know what’s going on, and the general counsel needs to have a seat at the table. So should the chief compliance officer. But Uber didn’t have one until 2018. This was another sign of a company that had a lot of work to do in this area.

Did Prosecutors Cross a Line?

Many critics of Sullivan’s conviction can’t understand why he was prosecuted in the first place. They seem upset because this case seemed so inconsequential compared to big corporate meltdowns that resulted in officers going to prison. Not just seemed—it?was?nothing like those cases. Had it not been for the lies and secrecy, no one would have been charged with a crime. It would likely have been no more than a passing embarrassment for a company that had endured many of much greater import.??

Security officers are used to getting fired when things go wrong. That wouldn’t have been surprising. But unless it’s a matter of stealing data or some other form of malfeasance, it’s rare that they’d find themselves in the crosshairs of law enforcement. They’re not usually powerful enough to direct a company down a path of criminal conduct. The irony is that Joe Sullivan actually had real power at Uber. He had a seat at the table—the very thing that CSOs have been pushing for. The very thing that, under other circumstances, his admirers would be celebrating.?

When critics complain that Sullivan did not deserve to be prosecuted, they see a disparity between him and his boss. This strikes me as a fair point. But if he had?not?been prosecuted, what about the disparity between Sullivan and the two hackers who pleaded guilty to crimes? What about the disparity between him and Craig Clark, the lawyer who reported to him and also pleaded guilty? They all conspired to pretend that an extortion demand was a helpful tip by security researchers. How can you argue that Sullivan was less culpable than his three co-conspirators??

There’s one more angle. Lawyers who transgress are sometimes held to higher standards. The view is that they should know better, and they can’t claim ignorance. That’s especially true of in-house lawyers, who are often seen as moral compasses and?gatekeepers?for their companies. Sullivan was once an in-house lawyer, and in this case he functioned as one by superseding his company’s legal team. Prosecutors may also want to ensure that a former prosecutor who crosses an ethical line isn’t issued a free pass. And Sullivan was not only a former prosecutor, he worked in the same office as the lawyers who tried him. Maybe they viewed this case as a way to clear their own reputations.