Federal prosecutors say Joe Sullivan obstructed justice when in 2016, because the chief of safety for Uber, he did not disclose a breach of driver and buyer data to authorities regulators.
However Mr. Sullivan’s legal professionals say that he under no circumstances hid the incident and that claims that he broke the legislation stem from Uber’s efforts to recast its picture following the turbulent reign of the corporate’s former chief govt Travis Kalanick.
Opening arguments started on Wednesday in a San Francisco federal court docket in what is predicted to be a monthlong trial for Mr. Sullivan, who, along with obstruction of justice, is accused of concealing a felony. Many safety consultants consider that Mr. Sullivan, a former federal prosecutor, is the primary govt at an organization to face potential prison legal responsibility for an information breach.
Company safety officers say the trial’s final result may inform how they deal with safety incidents, together with how they work together with hackers and after they reveal data to customers and regulators.
“There’s the specter of jail time. You possibly can’t put an organization in jail. You possibly can put an govt in jail. Now, that’s on the desk,” mentioned Chinmayi Sharma, a scholar in residence and lecturer on the Robert Strauss Heart for Worldwide Safety and Legislation on the College of Texas at Austin.
In 2016, Mr. Sullivan discovered that hackers had gained entry to the non-public knowledge of about 600,000 Uber drivers and extra private data related to 57 million riders and drivers, in accordance with the prison grievance towards him.
Mr. Sullivan referred the hackers to Uber’s bug bounty program, a standard means of paying “white hat” safety researchers to establish and report safety vulnerabilities in common on-line providers, prosecutors mentioned on Wednesday.
Via this system, Uber paid the hackers $100,000 and had them signal nondisclosure agreements, federal prosecutors mentioned. The corporate didn’t disclose the incident to the general public or inform the Federal Commerce Fee of it.
The 2 younger males answerable for the incident later pleaded responsible to hacking. One in all them is predicted to testify within the trial.
The authorities accuses Mr. Sullivan of failing to reveal the breach to the F.T.C. whereas the company investigated Uber over an earlier incident.
In all 50 states, corporations are required to reveal safety breaches if hackers obtain personally identifiable knowledge and a sure variety of customers are affected. There isn’t any federal legislation requiring corporations or executives to disclose breaches to regulators.
One in all Mr. Sullivan’s attorneys mentioned the duty for reporting the incident had rested with Uber’s authorized workforce. Mr. Sullivan, he argued, correctly disclosed the incident to the authorized workforce and others on the firm.
“You gained’t hear a single witness take that stand and say that Joe Sullivan informed them to misinform the F.T.C. or destroy paperwork or cover what had occurred from Uber’s senior administration or the Uber authorized workforce,” mentioned David Angeli, considered one of Mr. Sullivan’s attorneys.
The info breach didn’t turn into public till 2017, when Dara Khosrowshahi grew to become Uber’s new chief govt and fired Mr. Sullivan. Uber declined to remark for this story.
Mr. Angeli mentioned that the notion that Mr. Sullivan had hid the breach was a “narrative” created by Uber’s new govt workforce and that Mr. Khosrowshahi had accused Mr. Sullivan of failing to reveal the incident as a result of Mr. Khosrowshahi had needed to distance the corporate from its previous.
“His mantra was Uber 2.0,” Mr. Angeli mentioned of Mr. Khosrowshahi. “He needed to show the web page of what Uber was doing.”
Andrew Dawson, an assistant U.S. lawyer, mentioned Mr. Sullivan had tried to hide the incident each earlier than and after Mr. Khosrowshahi had joined the corporate. “This can be a case a few cover-up, about payoffs and about lies,” he mentioned. “The proof will present that Mr. Sullivan paid for the hackers’ silence” as a result of Uber was being investigated by the F.T.C.
Mr. Dawson mentioned Mr. Sullivan had lied to Mr. Khosrowshahi in an e-mail describing the incident to the brand new Uber chief govt, implying that the hackers had not downloaded any knowledge from the corporate.
Mr. Angeli argued that Mr. Sullivan had only a few communications with the F.TC. throughout the company’s investigation of Uber and that the corporate’s legal professionals had been answerable for its response to the investigation.
“The Uber authorized workforce had all the knowledge it wanted” with a purpose to resolve whether or not the corporate ought to report the 2016 safety incident to the company, he mentioned.
He mentioned that 30 individuals on the firm had identified concerning the breach and that Mr. Khosrowshahi had been conscious of it for nearly three months earlier than the corporate had reported it. By placing the blame on Mr. Sullivan, he argued, Uber’s new administration workforce was in a position to wash their arms of the incident.