On October 5, Uber's former Chief Security Officer (“CSO”) was convicted of criminal felony charges for obstruction of justice and misprision (i.e. concealing) of a felony relating to his handling of a 2016 data breach that exposed the personal data of millions of Uber drivers and users. This case marks the first time a company executive has been held criminally liable for handling of a data breach in the United States and the CSO could face up to eight years in prison. In a press release announcing the verdict, the Department of Justice warned that the FBI and its government partners “will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”

The government alleged that the CSO made a number of missteps in his handling of the 2016 data breach, including the following:

• Despite overseeing the Federal Trade Commission’s (“FTC”) contemporaneous investigation into an earlier data breach, the CSO did not disclose the new breach to the FTC.
• The CSO granted the hackers $100,000 in bitcoin under Uber’s Bug Bounty Program, despite the hackers not meeting the terms of the Program. Moreover, the hackers were required to sign non-disclosure agreements (“NDAs”) stating that the hackers never took or stored data, representations that the CSO knew to be false. Prosecutors viewed use of the NDA as a cover-up.
• The CSO did not inform Uber’s in-house or outside attorneys working on the FTC investigation that the breach had occurred.