For the first time, federal law enforcement authorities in California have criminally charged a former Chief Security Officer of a popular ride-hailing app for failing to alert investigators about a security incident that exposed the email addresses and phone numbers of 57 million drivers and passengers.
Prosecutors said that Joseph Sullivan, 52, committed two felonies when he didn’t disclose the 2016 incident to federal investigators who were already investigating a similar data breach that had occurred two years earlier.
Whether the charges will result in a conviction remains uncertain at this point. But the criminal charges filed in U.S. District Court in San Francisco are intended to send a clear message, and drew an important distinction between failing to protect a company's computer network, and failing to tell the authorities about it.
More important for the privacy and data security community is the global trend now unfolding. Earlier this year, for example, a South Korean court found the privacy officer of a South Korean travel agency guilty of negligence for failing to prevent a 2017 data security breach. The security breach affected over 465,000 agency customers, and roughly 29,000 agency employees. The Korean court imposed a penalty of 10 million (KRW) against the privacy officer, in addition to the 327 million (KRW) imposed against the company by the Ministry of Interior and Safety. Beyond the fines, the Korean Prosecutor’s Office also requested an eight-month prison sentence against the privacy officer, which the Korean court decided not to impose.
With the threat of criminal charges, fines, and costs associated with mounting a defense, this is a noteworthy trend highlighting the liability risks global privacy officers and chief information security officers face in performing their duties.
If convicted on both charges, Mr. Sullivan could face up to eight years in prison. We will continue to monitor this legal development, and update our clients on similar law enforcement activities.
If you have any questions about this or any other privacy law, please do not hesitate to reach out to the author, Harry Valetk.
“When a company ... gets hacked, we expect good corporate citizenship, we expect prompt disclosure to the employee and consumer victims in that hack. In this case, what we saw was the exact opposite of good corporate behavior,” said David Anderson, the U.S. attorney in San Francisco