Subscribe to Newsletters

Curated Content | Thought Leadership | Technology News

Register

UBER’s Former CISO Conviction Upheld: A Warning for Cybersecurity Leaders

Always be hustling.
Picture of Emory Odom
Emory Odom
Contributing Writer

Save

The Ninth Circuit Court of Appeals recently upheld the conviction of Joe Sullivan, Uber’s former Chief Security Officer, for his role in covering up a 2016 data breach. This case has set a significant precedent for corporate accountability in data security, reinforcing that executives can face criminal charges for mishandling cybersecurity incidents.

The ruling highlights the increasing legal and ethical pressure on technology leaders to report breaches transparently and comply with regulatory requirements.

Background of the Case

In 2016, Uber suffered a massive data breach that exposed the personal information of approximately 57 million users and drivers. At the time, Uber was under investigation by the Federal Trade Commission (FTC) for a prior 2014 breach.

Sullivan, was accused of instead of disclosing the new breach, arranged to pay the hackers $100,000 through Uber’s bug bounty program and required them to sign non-disclosure agreements (NDAs) to keep the incident quiet.

The security leader was charged with obstruction of justice and misprision of a felony (failing to report a crime). Prosecutors argued that his actions were designed to mislead the FTC and protect Uber’s reputation rather than safeguard user data. In 2023, Sullivan was found guilty and sentenced to three years of probation, 200 hours of community service, and a $50,000 fine. His appeal challenged the validity of the charges and the jury instructions.

Key Elements of the Ninth Circuit Ruling

The Ninth Circuit rejected Sullivan’s appeal, affirming that:

  • Obstruction of Justice: Sullivan’s decision to conceal the breach while Uber was under FTC investigation constituted a deliberate effort to mislead regulators.
  • Misprision of a Felony: By paying the hackers and securing NDAs, Sullivan knowingly concealed criminal activity rather than reporting it to law enforcement.
  • Sufficient Evidence: The court found ample evidence that Sullivan acted with the intent to prevent the FTC from learning about the breach.
  • Jury Instructions: The court ruled that the jury had been properly instructed on the legal definitions of obstruction and misprision, dismissing Sullivan’s claim that the instructions were misleading.

Implications for Cybersecurity Leaders

This ruling reinforces the growing accountability of cybersecurity executives in handling data breaches. Key takeaways for technology leaders include:

  1. Transparency Is Non-Negotiable: Attempting to conceal breaches can lead to personal liability and criminal charges. Executives must prioritize full disclosure to regulatory bodies.
  2. Bug Bounty Misuse: Using bug bounty programs to cover up security incidents undermines their integrity and may be treated as obstruction.
  3. Board and Shareholder Pressure: The ruling increases the pressure on corporate boards to enforce strict compliance protocols and hold executives accountable for data security decisions.
  4. Personal Risk for Executives: Security leaders are no longer shielded by their companies’ legal teams—individual accountability for breach management is now a legal reality.

Broader Industry Impact

This case sets a precedent for how corporate security lapses are handled legally. It signals to both companies and regulators that failing to disclose breaches can result in severe consequences for individual executives.

For CISOs and other security leaders, the ruling underscores the importance of aligning incident response strategies with regulatory expectations and ethical standards.

The Wrap

The Ninth Circuit’s decision to uphold Joe Sullivan’s conviction signals a new era of accountability for security executives. The ruling establishes that CISOs can face personal legal consequences for concealing breaches or misleading regulators.

For technology leaders, the message is unequivocal: transparency, ethical incident handling, and strict regulatory compliance are critical pillars of corporate governance. This case underscores that protecting a company’s reputation at the expense of legal and ethical standards comes with serious personal and professional risks.

Go Deeper -> United States of America v. Joseph Sullivan – USCourts.gov

Save

☀️ Subscribe to the Early Morning Byte! Begin your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.

☀️ Your latest edition of the Early Morning Byte is here! Kickstart your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.

View Archives
Google Faces Breakup Threat as DOJ Tackles Its Search Monopoly
Quizzicle: The Wild West of Workflows
Inside Netflix’s IT Backbone: Cloud, AI, and Ad Tech Expansion
Employee Lawsuit Ends in Multimillion-Dollar Settlement with Airport Retailer
Resilient IT for Vertical Integration: Designing Infrastructure That Flexes

ADVERTISEMENT

×
You have free article(s) left this month courtesy of CIO Partners.

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Would You Like To Save Articles?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Thanks for subscribing!

We’re excited to have you on board. Stay tuned for the latest technology news delivered straight to your inbox.

Save My Spot For TNCR LIVE!

Thursday April 18th

9 AM Pacific / 11 PM Central / 12 PM Eastern

Register for Unlimited Access

Already a member?

Digital Monthly

$12.00/ month

Billed Monthly

Unlimited Access

Digital Annual

$10.00/ month

Billed Annually

Unlimited Access

Learn More

Would You Like To Save Books?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Log In To Access Premium Features

Sign Up For A Free Account

Please enable JavaScript in your browser to complete this form.
Name
Newsletters