Hackers recently stole personal information of over 57 million customers and ride-share drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year.
As investigations are launched, Joshua M. Robbins, partner at high-stakes business litigation law firm Greenberg Gross LLP and chair of its white-collar defense and government investigations department, shared with us that Uber’s concealment could bring criminal prosecution as well.
“Uber has been under investigation by the Federal Trade Commission for a data breach that occurred a few years ago,” he said. “If Uber made false statements to the FTC, their liability will go far beyond a financial one.”
Under federal and many state securities laws, companies have obligations to make thorough and non-misleading disclosures to investors about facts that would be important to their decision to invest in the company–which means information that is material to the company’s financial performance.
According to Robbins, when something happens that could significantly affect a company’s financial status, and they do not disclose it or make misleading disclosures that hide or misstate it, the SEC, state securities regulators, private shareholder plaintiffs and courts will focus on questions including: What exactly happened? Was it “material”? What did the company know about it–and who inside the company knew? When did they know? What did they disclose about it?
“The more material the information, and the stronger the indications that the company knew about and tried to conceal it, the more likely government regulators will be to pursue and investigate and bring charges,” he explained. “If the evidence of fraudulent intent is powerful enough, the government may consider criminal charges.”
In the federal securities regulation context, disclosure obligations would be driven by traditional factors, including the materiality of the incident to the company’s financial performance. In fact, the SEC, in 2011, issued nonbinding guidance on public companies’ obligations to report cybersecurity risks and incidents. According to Robbins, it advised that in deciding what to disclose, companies should consider such factors as the impact of the incident on the company’s financial condition, whether important IP was stolen, and whether the company’s products, services, or customer relationships were affected.
“While the SEC has not yet brought an enforcement action for inadequate disclosure following a cybersecurity incident, its chair has said that he expects public companies to take seriously their ‘clear obligation to disclose material information about cyber risks and cyber events,’” he said. “And its director of enforcement has said that the SEC would absolutely bring an enforcement action against a company that violated its disclosure obligations in this area.”
Currently, the SEC is investigating Yahoo based on the two-year delay between the hack of three billion of its email users and its disclosure of that breach. Yahoo’s disclosure that the hack was much larger than previously stated will only augment calls for punishment. The SEC has also been investigating Equifax based on its delay in disclosing a hack that revealed data on over 140 million borrowers.
“How courts will address private shareholder litigation based on alleged failure to disclose breaches remains to be seen,” said Robbins. “Because companies suffering major breaches have often not seen a significant impact on their share prices, there have been few large shareholder class actions raising the issue. Yahoo and Equifax are exceptions, but those remain pending. How such elements as scienter, materiality, causation and damages are viewed in such cases will need to be addressed in these and future cases.”
Since Uber is not publicly traded, the SEC is not likely to open an investigation of it, and the DOJ is unlikely to investigate securities fraud charges, per Robbins, but the FTC will probably pursue the case. The FTC is not concerned with harm to Uber’s investors, but rather harm to its customers who have had their information stolen. It often brings enforcement actions under the FTC Act against companies who engage in “unfair or deceptive acts or practices in or affecting commerce.”
“If Uber’s executives knew about the data theft for months, did not inform customers who were affected, and instead tried to conceal the incident by paying ransom to the hackers, or if they had made misleading statements about their data security practices to reassure customers their information was safe, the FTC could file an action against the company,” he explained. “The same would be true of state consumer protection agencies, many of which have already launched investigations of Uber.”
So, Robbins says, it could get worse. In fact, before the recent revelations, the FTC launched an investigation of Uber’s handling of earlier data security issues. The agency settled with Uber in August, with the company promising not to mislead customers about its data security practices. Uber made various representations to the FTC on the subject during the investigation.
Robbins added, “If Uber’s prior representations to the FTC were knowingly false, Uber and the executives involved in communicating with the FTC may have violated federal criminal statutes prohibiting false statements to federal investigators. That could lead to a DOJ criminal investigation of the company and possible charges.”
On November 30, 2017, in response to the Uber incident, Senators Bill Nelson, Richard Blumenthal, and Tammy Baldwin introduced proposed legislation entitled the “Data Security and Breach Notification Act.” Among other things, the law would generally require companies to disclose data breaches within 30 days of learning about them. It would also make it a felony, punishable by up to five years in prison, to “intentionally and willfully conceal” a data security breach if the breach results in economic harm to any individual of $1,000 or more. This law would apply to all individuals and companies, not only large or publicly-traded firms. If enacted, these provisions would dramatically raise the stakes of companies’ decisions in handling data breach incidents, and would push the issue of data security even further up the priority list of C-suite executives.
Amanda G. Ciccatelli is a Freelance Journalist for Corporate Counsel and InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation, and more.