A U.S. District Court case, United States v. Joseph Sullivan, and the recent U.S. Court of Appeals decision related to it provide a case study for such stewards of business’s data to consider and learn from. In that case, Joseph Sullivan, the former chief security officer (“CSO”) for Uber Technologies (“Uber”), made certain choices in response to data breaches at Uber and was found guilty by a jury of obstruction of justice and misprision of a felony arising from his efforts to cover up a major data breach even as Uber was in the midst of an investigation by the FTC into Uber’s data security practices. Verdict Form, United States v. Sullivan, No. 20-cr-00337-WHO-1 (N.D. Cal. Oct. 5, 2022). The U.S. District Court Judge sentenced Sullivan to a three-year term of probation and ordered him to pay a fine of $50,000. Id. (Criminal Minutes (Sentencing Hearing) (May 4, 2023); id. (Judgment in a Criminal Case (May 9, 2023)). The CSO appealed his conviction.
In United States v. Joseph Sullivan, the U.S. Court of Appeals for the Ninth Circuit reviewed defendant’s arguments that the district court erred in rejecting two of his proposed jury instructions regarding the obstruction charge. No. 23-297, slip op. (9th Cir. Mar. 13, 2025, corrected Mar. 20, 2025). After review of defendant's arguments, the appellate court panel in its March 13, 2025, decision rejected them and affirmed the district court.
The bottom line is that a business, and the stewards of a business’s data, should carefully consider the choices they make in response to a cybersecurity event or data breach, both before and after being confronted with the situation. As Judge McKeown, writing on behalf of the Ninth Circuit Court of Appeals panel, stated, “The jury’s verdict in this case underscores the importance of transparency even in failure situations—especially when such failures are the subject of federal investigation.” Id. at 19.
© 2025 Alan S. Wernick.
