Was Your Business Hacked?
Take a Lesson from Uber, Minimize Risk Now and Do the Right Thing

By Stephen Toland, Attorney

The Former Chief Security Officer for Uber was convicted by a federal jury in early October for attempting to cover up a 2016 data breach involving more than 50 million customer records. This decision sets a precedent and will forever change how security professionals handle data breaches. It also increases the risk for these professionals who may be left holding the bag when data breaches are not managed appropriately.   

Uber Hack 

 Joe Sullivan was widely considered to be one of the top information security experts in the country. As an Assistant U.S. Attorney for the Northern District of California, Sullivan was one of the first federal prosecutors to work on cybercrime cases. He entered the private sector in 2002, first with eBay, then Facebook and Uber. 

 Sullivan joined Uber in early 2015 as their Chief Security Officer. In late 2016, Uber was hacked. The hackers asked for a large ransom. Immediately after learning about the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission (FTC), which had been investigating a smaller 2014 hack. He arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack.  

 Sullivan was convicted of obstruction of proceedings of the FTC and misprision of felony in connection to his role in the 2016 hack of Uber. He currently awaits sentencing. 

This precedent effectively warns cybersecurity professionals that failing to disclose a breach will have consequences.  

 Data Compliance Plan 

Companies that store their customers’ data have a duty and obligation to protect that data and notify the appropriate governing authorities when breaches occur. It is not illegal to negotiate with hackers, nor is it illegal to pay a ransom (such practices are known as bug bounties). But when you become aware of the breach you have a duty to share the details of the breach with the FTC and local law enforcement. 

 This is where conflicts arise. Stakeholders likely hold stock in the company. At one point he or she sees the dilemma:

Do we need to share all cyber breaches with the FTC if we handled it entirely and completely?

 

The clear answer in the light of the Sullivan case is yes. 

If your company has not yet been the target of hackers, it most likely will. Roughly a third of all breaches in the US in 2020 were small businesses. Create a Data Compliance Plan now and make plans to review it often with your cybersecurity team.  

  • Determine your legal requirements. All states have enacted legislation requiring notification of security breaches involving personal information. Check state and federal laws for any specific requirements for your business. 
  • Notify local law enforcement. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be and the more insulated from liability your company will be.
  • Notify individuals. If you quickly notify people of the breach, they can take steps to reduce the chance that their information will be misused. In deciding who to notify, consider state laws, the nature of the compromise, and the type of information taken.

The FTC recommends you designate one spokesperson, an employee or outside advisor, to speak with the FTC and local law enforcement. In the wake of the Sullivan decision, best practices suggest your company should consider utilizing outside legal counsel. A legal expert in this area can not only assist your company by identifying the correct governing authority to whom the breach should be reported; but can ensure a consistent, timely and appropriate message is reported and thereby reduce the risk of a criminal investigation.   

The field of cybersecurity is still relatively young, lacking the body of law and knowledge gained over years, but one thing is certain: Companies are being attacked and stakeholders are doing what they can to defend it. The best practice here is when faced with a lose-lose decision, do the right thing and disclose the breach as soon as is practically possible. Then, try to learn about what went wrong and how to avoid another breach in the future. Continuing to advance and strengthen cybersecurity will always be a worthwhile investment.