But District Court Judge William Orrick also warned other security executives that they might not be so fortunate as to avoid prison time in such cases.
As Axios reports, Orrick said during the sentencing, “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison.” Orrick reportedly added, “When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”
As Dark Reading reports, some industry viewed Sullivan as the scapegoat for a wider security lapse at the ride-hailing giant. Prosecutors in the case, meanwhile, had pushed for a 15-month prison stint. Some will probably see the no-prison-time sentence as too little of a deterrent to executives tempted to cover up data breaches in the future.
A federal jury found Sullivan guilty in October 2022 on two felony counts involving a November 2016 data breach at Uber that affected about 57 million customers and 600,000 drivers. One of the counts had to do with withholding information about the breach from Federal Trade Commission authorities who were then probing a 2014 Uber breach.
Along with probation, the judge also sentenced Sullivan to 200 hours of community service and a $50,000 fine.
As The Wall Street Journal reports, current and former security leaders said in letters filed in court documents that a harsh sentence in this potentially precedent-setting case might prompt executives to err on the side of discussing too much. Ed McAndrew, a partner at law firm BakerHostetler and former federal cybercrime prosecutor, said that paying hackers not to publish data and other practices involved in Sullivan’s case were unusual in 2016 but are typical today.
Ira Winkler, field CISO at security risk-management-company Cyesec, told the Journal that Sullivan wasn’t a mere fall guy here. “The lessons from this case show that CISOs should act morally and ethically, and within the bounds of the law,” Winkler said.
Peter Swire, a law and ethics professor at the Georgia Institute of Technology’s Scheller College of Business, told Law.com, “Security chiefs ought to know already that they shouldn’t submit sworn testimony that is untrue or seriously misleading.”