After several days of deliberating, a jury today convicted Uber Technologies Inc.’s (“Uber’s”) former chief security officer (the “Former CSO”) of criminal obstruction and concealing the theft of personal data of fifty million Uber customers and seven million Uber drivers from the Federal Trade Commission (“FTC”).
Recall that back in 2016, two hackers stole data about Uber’s drivers and riders from a third-party server. The hackers approached Uber and demanded a ransom of $100,000 in Bitcoin in exchange for deleting their copy of the data collected. The ransom was paid. Central to the prosecution’s case against the Former CSO was testimony given by Uber’s former in-house attorney last month in exchange for immunity regarding the ransom payment. According to the former in-house attorney’s testimony, the Former CSO changed a nondisclosure agreement with the hackers to make it appear that the attack was a white hat vulnerability, or a consensual and ethical hacking, rather than a serious data breach that exposed the personal information of 57 million Uber users. This was so notwithstanding state and federal laws requiring companies to give prompt notice of a data breach (the violation of which subsequently resulted in Uber paying $148 million dollars in a fifty state settlement, the largest data breach settlement of its kind at the time). See, e.g., California’s Civ. Code s. 1798.82(a).
This decision to conceal the breach and pay the ransom has been criticized by security experts, who say that paying hackers only compensates a criminal industry. The F.B.I agreed in a 2016 statement:
“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The Former CSO now awaits sentencing and faces potentially eight years in prison.
More broadly, this prosecution (and conviction) underscores several cyber and privacy trends with implications for companies across industries.
First, it underscores that data privacy and cybersecurity are now explicit priorities of the Securities and Exchange Commission, the Department of Justice, the FTC and other regulators. For instance, this year the FTC issued a warning that it would pursue future enforcement actions against companies that fail to take reasonable steps to mitigate known cybersecurity vulnerabilities, which could implicate the Federal Trade Commission Act and the Gramm Leach Bliley Act, among others.
Second, as the regulatory landscape has shifted there has also been an accompanying change in the legal risk associated with data privacy and cybersecurity. A board of directors plays an essential role in managing risks related to cybersecurity. In recognition of this responsibility, according to a recent review of the Fortune 100 companies, most boards have taken significant steps towards managing cybersecurity risks. For instance, the vast majority of surveyed boards now designate a board member with oversight of cybersecurity and use an audit committee to review cybersecurity matters.
And third, in addition to potential putative class actions, shareholder derivative litigation following disclosure of a data breach has now become a more frequent occurrence. These cases typically concern allegations that the board failed to maintain and implement appropriate cybersecurity controls or otherwise respond to red flags raised. For instance, following the T-Mobile data breach last year, shareholder derivative litigation was filed concerning claims that the board members were “long aware of red flags demonstrating that the Company did not have an effective system of internal controls to ensure the safety and security of customers’ personal identifying information in the face of this threat.” Recently, there has also been a rise in shareholder derivative suits that seek to hold officers and directors accountable for deficiencies in a company’s data privacy and cybersecurity practices.