CURRENT MONTH (March 2025)
Former Chief Security Officer’s Sentence for Covering Up Data Breach Affirmed
By Alan S. Wernick, Esq., Wernick & Associates, LTD.
Stewards of a business’s data, including personally identifiable information (“PII”) and protected health information (“PHI”), have certain legal obligations before and after the business is thrust into a cybersecurity event. If that event matures into a data breach, then those legal obligations rapidly evolve and could include, among other things, an investigation by the Federal Trade Commission (“FTC”) or other federal agency, or a state attorney general or other state agency. The outcomes from the data breach depend on the facts, the applicable law, and the choices those stewards of the business’s data—including chief executive officers, chief financial officers, general counsel, chief privacy officers, chief security officers, etc.—make in response to the data breach.
A U.S. District Court case, United States v. Joseph Sullivan, and the recent U.S. Court of Appeals decision related to it provide a case study for such stewards of business’s data to consider and learn from. In that case, Joseph Sullivan, the former chief security officer (“CSO”) for Uber Technologies (“Uber”), made certain choices in response to data breaches at Uber and was found guilty by a jury of obstruction of justice and misprision[1] of a felony arising from his efforts to cover up a major data breach even as Uber was in the midst of an investigation by the FTC into Uber’s data security practices. Verdict Form, United States v. Sullivan, No. 20-cr-00337-WHO-1 (N.D. Cal. Oct. 5, 2022). The U.S. District Court Judge sentenced Sullivan to a three-year term of probation and ordered him to pay a fine of $50,000. Id. (Criminal Minutes (Sentencing Hearing) (May 4, 2023); id. (Judgment in a Criminal Case (May 9, 2023)). The CSO appealed his conviction.
In United States v. Joseph Sullivan, the U.S. Court of Appeals for the Ninth Circuit reviewed defendant’s arguments that the district court erred in rejecting two of his proposed jury instructions regarding the obstruction charge. No. 23-297, slip op. (9th Cir. Mar. 13, 2025, corrected Mar. 20, 2025). After review of defendant’s arguments, the appellate court panel in its March 13, 2025, decision rejected them and affirmed the district court.
The bottom line is that a business, and the stewards of a business’s data, should carefully consider the choices they make in response to a cybersecurity event or data breach, both before and after being confronted with the situation. As Judge McKeown, writing on behalf of the Ninth Circuit Court of Appeals panel, stated, “The jury’s verdict in this case underscores the importance of transparency even in failure situations—especially when such failures are the subject of federal investigation.” Id. at 19.
© 2025 Alan S. Wernick.
“Misprision is the crime of ‘having knowledge of the actual commission of a felony’ and ‘conceal[ing]’ or failing to ‘as soon as possible make known the same to some judge or other person in civil or military authority under the United States.’” United States v. Sullivan, No. 23-297, slip op. at 3 (9th Cir. Mar. 13, 2025, corrected Mar. 20, 2025). ↑
