The U.S. Court of Appeals for the Ninth Circuit upheld the conviction of Joe Sullivan, former Uber CSO, on obstruction charges. Sullivan was convicted in 2023 for attempting to cover up a 2016 data breach that exposed personal information of millions. The court rejected his appeal, which argued errors in jury instructions and the introduction of a hacker’s guilty plea. Sullivan’s defense focused on misprision, claiming that non-disclosure agreements with hackers retroactively made their actions legal, but the court disagreed.
Sullivan’s decision to pay hackers $100,000 and require them to sign non-disclosure agreements, without informing the FTC, led to the obstruction charges.
The court emphasized that the hackers’ actions were illegal under the Computer Fraud and Abuse Act (CFAA) and could not be sanitized by the agreements. Sullivan’s claim that he believed the hackers’ actions were authorized was dismissed by the judges, who pointed to evidence suggesting he knew their conduct was illegal at the time.
Despite his appeal, Sullivan’s sentence was not altered significantly. He was given three years of probation, a $50,000 fine, and community service. U.S. prosecutors had pushed for a 15-month prison sentence, but the court denied this request.
Sullivan has received support from the cybersecurity community, with many suggesting that he was scapegoated by Uber’s executives, including former CEO Travis Kalanick.
Sullivan’s conviction has raised concerns within the cybersecurity industry. Many professionals argue that a custodial sentence would set a dangerous precedent, potentially discouraging security experts from reporting breaches. The court decision underscores the importance of transparency in handling cybersecurity incidents, even when mistakes are made, and sends a strong message about the legal consequences of mishandling sensitive data.