Charges From Botched Data Breach Responses Put the Heat on Corporate Execs
All 50 U.S. states have data breach notification laws; the first was enacted 18 years ago in California. Pennsylvania’s Breach of Personal Information Notification Act is more than 15 years old. And, ever since, data breach notices have been headlining newspapers (and appearing in recipients’ mailboxes). A business leader would be hard-pressed to ignore that all U.S. states and most international jurisdictions have laws that trigger notification obligations in the wake of data security incidents.
A dirty secret, nonetheless, is that many organizations indifferently fail or deliberately avoid notifying customers of a breach of personally identifiable information. A 2017 paper studying the economics of information security concluded that more than 60% of U.S. data breaches go unreported. The cleverly titled study, “Estimating the Size of the Iceberg from Its Tip: An investigation into unreported data breach notifications” by Fabio Bisogni, et al.) clearly explains several reasons for such nonreporting:
Many companies fail to even detect the incident or lack logs sufficient to establish that it resulted in unauthorized access to personal information.
Some state laws permit companies to forego notification if they find little risk of harm to the affected persons.
And, some companies simply decide not to notify and instead to bear the risk of private lawsuits, regulatory enforcement actions, and the potential of incurring significant reputational damage, later, in favor of the immediate savings of not having to pay for the notification process and the prospect that the incident may never become public.
Imagine a company victimized by ransomware. The company may just pay the ransom and hope to get back to business, without ever investigating. Or, the company might hire a vendor to restore systems from backup, without analyzing whether the ransomware variant may have stolen files before encrypting them. In either event, the company may move on hoping that the ransomware attack will never come to light. Such a scenario gave rise in 2020 to a lawsuit by Hiscox Insurance against a law firm that represented its policyholders; Hiscox alleges the firm acquiesced to hackers’ demands and paid a ransom in 2016, believing that doing so would protect the policyholders’ data. By 2018, the data nonetheless allegedly ended up on the dark web. But to the firm, nondisclosure may have seemed a reasonable course of action given the unlikeliness the incident would be discovered and the limited likelihood of private litigation.
But two recent criminal and regulatory enforcement actions may drastically alter the calculus for companies weighing whether to issue notifications following a data breach.
First, on Aug. 19, 2020, a criminal complaint was filed in California federal court against Joe Sullivan, former chief security officer for Uber Technologies. Federal prosecutors allege that Sullivan obstructed justice and wrongfully concealed a felony when he withheld and concealed from the Federal Trade Commission his knowledge of a 2016 hack of Uber’s systems that purportedly resulted in hackers obtaining personal data of more than 57 million Uber drivers and passengers.
Sullivan allegedly participated in an effort to cover up the 2016 breach by paying the hackers through the company’s bug bounty program and securing nondisclosure agreements from them, all while Uber already was under investigation by the FTC for an earlier 2014 data breach. Wired Magazine called the indictment was a “warning shot,” the “first direct example in the United States of a corporate executive facing criminal charges and prison time … over a data breach response.”
Sullivan faces several years in prison on each of the criminal charges. Rather than go down alone, Sullivan, meanwhile, argues that it was Uber’s legal department that was responsible for deciding whether, and to whom, the 2016 breach should be disclosed.
His circumstances rise far beyond mere willful neglect of a breach notification obligation—the federal prosecutors likely were rankled that Sullivan learned of the 2016 breach even while in the midst of providing testimony during the agency’s investigation of the 2014 incident, and failed to share the information with the FTC. But the first criminal prosecution of a corporate executive arising out of the alleged coverup of a data breach should give pause to any business leader otherwise inclined to allow such an incident to go unreported.
Second, the New York Department of Financial Services on July 22, filed charges against First American Title Insurance Company in the first action seeking to enforce the department’s cybersecurity regulation. First American allegedly had a problem in the file-naming conventions used for its online document management system, which allowed users to bring up documents, without authorization, merely by changing digits in the document ID number that made up part of the URL address for each document. The unsecured documents contained Social Security numbers, driver’s license images, and bank account numbers and statements.
First American allegedly learned of this rather striking lapse of data security in December 2018, but failed to recognize the severity of the problem, and so left unsecured more than 700 million documents (many containing nonpublic personal information) until May 2019. Indeed, the Department alleges that First American’s own penetration tests warned that thousands of these documents had been indexed by Google’s search engine.
Because First American failed to follow its own internal policies and neglected to conduct a risk assessment and otherwise adequately respond in a timely manner to the serious vulnerability, the department has levied charges against First American carrying penalties of up to $1,000 per violation, with the charges suggesting that each exposed record could constitute a separate violation, leaving the company facing maximum potential exposure of billions of dollars.
These civil and criminal investigations show a heightened risk for businesses and executives who might refuse to acknowledge a potential data breach or be inclined to avoid issuing notifications to affected individuals.