A jury found Sullivan guilty on Wednesday of failing to report a customer and driver data breach.
While the Federal Trade Commission was looking into the earlier incident, Mr. Sullivan learned of a new one.
Mr. Sullivan was found guilty of obstructing the F.T.C. investigation and acting to conceal a felony from authorities.
The case could change how security professionals handle data breeches.
The way responsibilities are split is going to be affected by this. This will have an impact on what is documented. The way bug bounty programs are designed will be affected by this.
The jury took more than 19 hours to reach a verdict in Mr. Sullivan's trial.
David Angeli, a lawyer for Mr. Sullivan, said they appreciated the work of the jury. Mr. Sullivan is focused on ensuring the safety of people's data on the internet.
The assistant U.S. attorney wouldn't say anything about the verdict. Requests for comment from the company were not responded to.
Mr. Sullivan was deposed by the F.T.C. as part of its investigation into the incident. He received an email from a hacker who claimed to have found another security vulnerability in the company's systems.
According to court testimony and documents, Mr. Sullivan learned that a hacker had downloaded the personal data of 600,000 drivers for the ride-sharing company. The hackers wanted the ride-sharing company to pay them a lot of money.
They were referred to the bug bounty program by Mr. Sullivan. According to testimony and documents, payouts were capped at $10,000. Mr. Sullivan had the hackers sign a nondisclosure agreement.
One of the hackers said he was trying to get money from the ride hailing service.
The F.T.C. was not told about the incident until a new chief executive arrived at the company. Two people pleaded guilty to a hack.
If a certain number of users are affected by a hack, states usually require companies to report it. There isn't a federal law that requires companies or executives to tell regulators if they break the law.
Federal prosecutors argued that Mr. Sullivan hid the hack from the F.T.C.
An assistant U.S. attorney said during closing arguments that he took many steps to keep the F.T.C. from finding out about it. This was a deliberate hiding of information.
Mr. Sullivan did not tell the general counsel about the hack. He had a discussion with Craig Clark.
Mr. Clark was fired by the new chief executive after he learned about the incident. The federal prosecutors gave Mr. Clark immunity so he could testify against Mr. Sullivan.
Mr. Clark said that Mr. Sullivan told the security team to keep the hack a secret.
Mr. Sullivan told Mr. Clark that he would talk to the A Team of executives. The chief executive of the A Team at the time was Kalanick. The $100,000 was approved by Mr. Kalanick.
Mr. Sullivan's lawyers argued that he had been doing his job.
They argued that Mr. Sullivan hid the incident from the F.T.C. because he used the bug bounty program and nondisclosure agreement to prevent user data from being leaked.
According to one of the jurors, after the trial, it was clear that Mr. Sullivan hid the violation from authorities. He said that it was all documented very clearly.