Widener University Commonwealth Law School
MONTH-IN-BRIEF (Mar 2025)
Former Chief Security Officer’s Sentence for Covering Up Data Breach Affirmed
By Alan S. Wernick, Esq., Wernick & Associates, LTD.
Stewards of a business’s data, including personally identifiable information (“PII”) and protected health information (“PHI”), have certain legal obligations before and after the business is thrust into a cybersecurity event. If that event matures into a data breach, then those legal obligations rapidly evolve and could include, among other things, an investigation by the Federal Trade Commission (“FTC”) or other federal agency, or a state attorney general or other state agency. The outcomes from the data breach depend on the facts, the applicable law, and the choices those stewards of the business’s data—including chief executive officers, chief financial officers, general counsel, chief privacy officers, chief security officers, etc.—make in response to the data breach.
A U.S. District Court case, United States v. Joseph Sullivan, and the recent U.S. Court of Appeals decision related to it provide a case study for such stewards of business’s data to consider and learn from. In that case, Joseph Sullivan, the former chief security officer (“CSO”) for Uber Technologies (“Uber”), made certain choices in response to data breaches at Uber and was found guilty by a jury of obstruction of justice and misprision[1] of a felony arising from his efforts to cover up a major data breach even as Uber was in the midst of an investigation by the FTC into Uber’s data security practices. Verdict Form, United States v. Sullivan, No. 20-cr-00337-WHO-1 (N.D. Cal. Oct. 5, 2022). The U.S. District Court Judge sentenced Sullivan to a three-year term of probation and ordered him to pay a fine of $50,000. Id. (Criminal Minutes (Sentencing Hearing) (May 4, 2023); id. (Judgment in a Criminal Case (May 9, 2023)). The CSO appealed his conviction.