Where to? Criminal liability for concealing data breaches

Uber’s former chief of security, Joe Sullivan, was found guilty recently of covering up a 2016 cyber-attack which affected 57m Uber riders and drivers. A San Francisco jury found Sullivan had failed to tell regulators about the incident and resulting payments to two hackers via Uber’s HackerOne bug bounty program. Sullivan reportedly faces up to eight years in prison.

Sullivan’s trial is believed to be the first time a senior executive has faced criminal charges relating to a data breach, and his conviction has been openly questioned by many in the cyber security industry. The facts of the case are nuanced and case-specific but, with cyber-attacks increasingly common, could we see criminal prosecutions and convictions of a similar nature in England and Wales?

There are a number of ways such prosecutions could arise in circumstances where an executive has failed to report or actively sought to cover up a data breach:

1. Perverting the course of justice: Sullivan was convicted of misprision (failure to report a crime) and obstructing justice in the US. The equivalent offence in England & Wales is perverting the course of justice. Perverting the course of justice is a serious common law offence that can carry a sentence of up to life imprisonment. However, the sentence for doing so by concealing evidence is likely to range from four to 18 months. Crucially, it does not matter whether or not the acts actually result in a perversion of the course of justice: the offence is committed when acts tending and intended to pervert a course of justice are done, hence why the offence is sometimes referred to as "attempting to pervert the course of justice". The offence can also overlap with similar, ancillary offences such as “wasting police time”, or “concealing arrestable offences” under s.5(1) Criminal Law Act 1967.

2. Criminal offences under the UK GDPR: failing to notify the Information Commissioner’s Office (ICO) of a data breach when required to do so is not itself a criminal offence (albeit it can result in heavy fines of up to £8.7m or 2% of annual global turnover). However, there are two criminal offences under the Data Protection Action 2018 (DPA 2018) which could be engaged were information to be concealed while an ICO investigation is ongoing: under s.144 and s.148 DPA 2018 knowingly making a false statement, or destroying/falsifying information and documents, in response to an ICO information notice, is a criminal offence with a maximum penalty up to an unlimited fine. 

3. Failure to notify appropriate regulators or make adequate disclosures to the market: aside from the ICO, other regulators may need to be notified of a data breach. For instance, the FCA expects to be told by companies in the regulated sector about anything of which it would reasonably expect notice. This includes any matter which could have a significant adverse impact on a firm’s reputation; or any matter which could result in serious financial consequences (such as a serious data breach). Failing to disclose is not itself a criminal offence. However, under s.398 Financial Services and Markets Act 2000, it is an offence to knowingly or recklessly provide the FCA with information which is false or misleading (for instance, to try and conceal a data breach). This could also result in unlimited financial penalties.

Further, the Market Abuse Regulation (UK MAR) makes insider dealing, unlawful disclosure, market manipulation and attempted manipulation civil offences, and gives the FCA powers and responsibilities for preventing and detecting market abuse. Listed companies are under an obligation to disclose to the public as soon as possible any information which meets the criteria of “inside information”. Article 7 UK MAR defines inside information as including any non-public information of a precise nature, relating directly or indirectly to the issuer or its securities, which, if disclosed, would be likely to have a significant effect on the price of the issuer’s securities. Further, under article 17(1) UK MAR, an issuer must inform the public of such information, and must do so in a way which enables fast access and complete, correct and timely assessment of the information by the public. It is likely that the occurrence of a serious data breach would have such a significant effect on the share price of a company, especially those companies, like Uber, whose business is structured around the effective processing and management of data.

Attempting to cover up, or failing to give adequate disclosures in relation to, a data breach in such circumstances could therefore constitute a breach of s. 89 Financial Services Act 2012 (FSA), under which it is a criminal offence to make a statement known to be false or misleading in a material respect or dishonestly to conceal material facts, with an intention of inducing someone to enter into an agreement. A failure to comply with the UK MAR obligations may be evidence of dishonest concealment of material facts, and therefore this could result in a maximum prison sentence of seven years or a fine (or both).

Part of Sullivan’s explanation for not disclosing the incident to US regulators was that he believed Uber’s legal department would do so. Questions have also been raised about the accountability of Uber’s senior management at the time.

The case therefore highlights the paramount importance of (i) having established and well-rehearsed cyber incident response plans in place, including clear reporting and communication lines contained within internal policies and procedures and (ii) ensuring that those plans are put into effect through systems and controls on the ground, alongside seeking appropriate legal advice as soon as possible in the event incidents do occur.