Privacy Enforcement Gets Personal: Uber and Drizly
By Kewa Jiang
In early October 2022, a jury found Uber’s former Chief Security Officer, Joseph Sullivan, guilty of obstruction of justice and deliberate concealment of felony related to a 2016 data breach incident at the company. The Department of Justice alleged that Sullivan tried to prevent information about a data breach affecting 57 million passengers and 600,000 license plates of drivers from being reported to regulators. Instead, Sullivan arranged for the hackers responsible for the breach to be paid off in bitcoin in exchange for signing non-disclosure agreements. He also failed to disclose information about the data breach and investigation to other Uber executives and the FTC, which was working with Uber at the time to settle a prior data breach incident.
The individual prosecution and conviction of Sullivan shocked and worried some privacy professionals, who now fear they may be left personally liable in the event of a data breach. Critics point to the fact that other Uber executives that may have known about the 2016 breach were not charged. However, as United States Attorney, Stephanie M. Hinds, stated in the DOJ’s press release, the charges do not stem from the data breach but from the fact Sullivan “affirmatively worked to hide the data breach.”
Following the heels of Sullivan’s conviction, the FTC announced enforcement action against not just Drizly, a subsidiary of Uber which delivers alcohol to users, but also against its CEO, James Cory Rellas. The FTC alleges that the company and Rellas were alerted to security problems related to the company’s lax security program two years prior to a breach incident. The data breach exposed 2.5 million consumers’ personal information. In the FTC complaint, the agency alleges that Rellas is personally responsible for the failure to protect consumer data because “he did not implement, or properly delegate the responsibility to implement, reasonable information security practices.” As part of the consent order, the FTC stipulated that Rellas would be required to implement an information security program even if he moved to a different company. The order will follow Rellas if he moves to a company that collects consumer information from more than 25,000 individuals and if he is in the role of majority owner, CEO, or senior officer with information security responsibilities.
Looking ahead, it remains to be seen whether the regulators’ tougher stance against company executives will continue to trend. But regulators are sending a loud message to executives: implement sufficient data privacy regimes or suffer personal liability for a failure to do so.