Shawn Tuma is a partner in the law firm Spencer Fane who specializes in data privacy issues. He was under a duty to give more information to the FTC after giving testimony. It works that way.
Misprision of felony charge is the more concerning conviction in terms of future precedent according to Tuma. The prosecution may have been motivated by Sullivan's failure to notify the FTC of the 2016 breach, but the public perception is that it is never acceptable to pay a hacker to keep their data private.
The situations are very charged and the CSOs are under a lot of pressure. Sullivan seems to have succeeded in keeping the data out, so they succeeded in protecting user data. I don't know if I would have done that. I hope that doesn't happen.
Sullivan told The New York Times in a statement that he was surprised and disappointed when people suggested that this was a cover-up.
The specific facts of the case are that Sullivan didn't just lead the ride-sharing company to pay the criminals. The hackers who pleaded guilty to perpetrating the breach in October were part of his plan. The FBI doesn't condone paying hackers off, but US law enforcement generally sends a message that what it values most is being notified. If victims inform the government and cooperate with law enforcement, the Treasury Department can be more flexible when it comes to making payments. In some cases, officials working with victims have been able to trace payments and try to recover money, as was the case with the 2021ColonialPipeline.
Tuma says that the one that gives him the most concern is the one where paying a hacker could be seen as criminal wrongdoing. The FBI encourages people to report these incidents, and I have never had a bad experience working with them. The difference between making that payment to the bad guys to buy their cooperation and saying, "We're going to try to make it look like a bug bounty and have you sign an NDA that's false" is significant. You could give the FTC relevant information if you have a duty to supplement the FTC.
The climate in the US for handling data extortion situations and working with law enforcement has changed a lot in the last couple of years. The options for how to respond a few years ago were more complicated than they are now. The Justice Department is trying to prosecute Sullivan.
In the Northern District of California, technology companies collect and store a lot of data. The US attorney's office said in a statement that they expect the companies to protect the data and alert authorities when it is stolen. Sullivan tried to hide the data breach from the Federal Trade Commission. The conduct will be prosecuted where it is against the law.
Sullivan has yet to be sentenced, another chapter in the saga that security executives will be keeping a close eye on.
All Rights Reserved © 2024
