“This is a unique case because there is an ongoing FTC investigation,” said Shawn Tuma, a partner at law firm Spencer Fane, which specializes in cybersecurity and data privacy issues. “He has just been sworn in and certainly has a duty to supplement and provide additional relevant information to the FTC. That’s how it works.”
Tuma, who regularly works with companies responding to data breaches, says the more worrisome conviction in terms of future precedent is committing a false felony. While the prosecution appears to have been driven primarily by Sullivan’s failure to notify the FTC of the 2016 violation during the agency’s investigation, the alleged misconduct could create the public perception that it is never legal or acceptable to pay ransomware actors or hackers trying to extort payments to keep stolen data private.
“These situations are very expensive and CSOs are under a lot of pressure,” says Vance. “What Sullivan has done seems to have succeeded in keeping the data from being exposed, so in their mind they have succeeded in protecting user data. But can I personally do that? I hope not. “
Sullivan told The New York Times In a 2018 statement, “I’m surprised and disappointed that those who wanted to portray Uber in a negative light were quick to dismiss this as a cover-up.”
The circumstances of the case are somewhat specific in the sense that Sullivan did not simply lead Uber to pay criminals. His plan also involved presenting the transaction as a bug bounty payment and requiring the hackers – who pleaded guilty to causing the breach in October 2019 – to sign an NDA. While the FBI has been clear that it does not condone paying hackers, US law enforcement has generally sent a message that what they value most is being informed and included in the process. violation response. Even the Treasury Department said it could be more flexible and tolerant of payments to sanctioned entities if the victim informs the government and cooperates with law enforcement. In some cases, as with 2021 Colonial Pipeline ransomware attackOfficials working with victims were able to track the payments and try to get the money back.
“This is what worries me the most, because paying a ransomware attacker could be seen by the public as criminal misconduct, and over time that could become the default norm.” Tuma said. “On the other hand, the FBI strongly encourages people to report these incidents, and I have never had an adverse experience working with them personally. There’s a difference between paying that to the bad guy to buy their partnership and saying, ‘We’ll try to make it look like a bug bounty and have you sign a false NDA.’ If you have additional duties for the FTC, you can provide them with relevant information, comply with breach notification laws, and act on your violations. “
However, both Tuma and Vance note that the environment in the United States for handling data extortion scenarios and working with law enforcement on ransomware investigations has evolved significantly since 2016. For executives tasked with protecting their company’s reputation and viability — in addition to protecting users — the options for how to respond a few years ago were far more convoluted than they are today. in. And this may be exactly where the Justice Department’s attempt to prosecute Sullivan is.
“Tech companies in the Northern District of California collect and store large amounts of data from users. We expect those companies to protect that data and alert customers and appropriate authorities when that data is stolen by hackers,” US attorney Stephanie Hinds said in a statement. statement of conviction on Wednesday. “Sullivan claims to have worked to hide the data breach from the Federal Trade Commission and taken steps to prevent the hackers from being caught. Where such conduct violates federal law, it will be prosecuted.”
Sullivan has yet to be convicted – another chapter in the story that security chiefs are sure to watch extremely closely.
