On March 13, 2025, a three-judge panel of the U.S. Court of Appeals for the Ninth Circuit unanimously upheld the conviction of former Uber Chief Security Officer Joseph Sullivan. The ruling affirms Sullivan’s 2022 conviction for obstruction of justice and misprision of a felony, marking a significant precedent in corporate cybersecurity accountability. Sullivan received three months of probation and 200 hours of community service despite being eligible for a sentence of up to eight years in prison.

Key Takeaways:

• The Ninth Circuit confirmed that Sullivan obstructed an FTC investigation into Uber’s security practices following a major 2016 data breach.
• The ruling solidifies that executives can face criminal liability for decisions made in response to data breaches.
• The case underscores the importance of caution in regulatory compliance and data breach disclosures.
• Companies should reassess internal procedures for handling data breaches to ensure transparency and regulatory compliance. 
• Cybersecurity teams and legal departments should coordinate closely to ensure that incident response plans align with evolving legal obligations and regulatory expectations.

Background:

Joseph Sullivan, a respected cybersecurity executive, was convicted in 2022 for covering up a 2016 breach that exposed personal data of 57 million Uber users and 600,000 driver’s license numbers from Uber drivers. Instead of reporting the breach to the U.S. Federal Trade Commission (FTC) (per ongoing requirements under a consent decree), Sullivan authorized a $100,000 payment in Bitcoin to the threat actors through Uber’s bug bounty program, securing a non-disclosure agreement in the process. His approach aimed to keep the incident private while Uber was negotiating a resolution of a prior data security incident under investigation by the FTC.

The case became the first instance of a corporate executive being held criminally liable for mishandling a data breach, and Sullivan’s conviction—given the novel extension of personal liability for strategic decisions in the management of a cyber incident—raised concerns throughout the cybersecurity industry. Despite this, the Ninth Circuit reaffirmed the lower court’s ruling, rejecting Sullivan’s appeal on all grounds.

Ninth Circuit’s Ruling:

Writing for the unanimous panel, Judge Margaret McKeown stated that the jury’s verdict “underscores the importance of transparency even in failure situations—especially when such failures are the subject of federal investigation.” The court rejected Sullivan’s argument that the hackers’ illegal actions could be retroactively legitimized through a non-disclosure agreement. The ruling reaffirmed that executives responsible for cybersecurity cannot bypass reporting requirements in an effort to avoid reputational damage. According to the court, corporate leaders must ensure compliance with disclosure obligations, even when attempting to negotiate security incidents internally.

Industry Implications:

This ruling establishes a major legal precedent, signaling that management, especially those responsible for cybersecurity matters, are not shielded from criminal liability for failing to disclose cyber incidents. Companies must reevaluate their incident response policies to align with federal and state reporting obligations. The case further highlights the need for clear and proactive governance in corporate cybersecurity programs. Security officers and legal teams should work collaboratively to document decision-making processes and ensure regulatory compliance. And though not unlawful in their own right, organizations must also recognize the potential risks involved when negotiating hacker payments through white hat or bug bounty programs, and not attempt to use those programs to circumvent reporting obligations.

Next Steps for Organizations:

With this precedent, along with growing reporting and transparency obligations at both federal and state levels, organizations must consider the broader cultural and operational shifts necessary to align cybersecurity leadership with legal expectations. Companies should take proactive measures to ensure that security officers and legal teams are equipped to handle breach disclosures in a manner that satisfies both compliance mandates and corporate risk management strategies.

One immediate implication is the need to reassess internal whistleblower and escalation mechanisms to help security professionals feel empowered to report potential compliance concerns without fear of retaliation. Establishing clear, protected reporting pathways can prevent legal missteps and reinforce accountability at all levels of leadership. Additionally, organizations should incorporate breach response scenarios into tabletop exercises involving both security and legal teams, ensuring that decision-making processes are well-documented and defensible in the event of regulatory scrutiny.

Moreover, companies should consider proactively engaging with regulators and industry groups to stay ahead of evolving expectations in cybersecurity governance. Regulatory agencies are increasingly prioritizing transparency in incident response, and fostering cooperative relationships with enforcement agencies—when and where appropriate—can provide critical insights into compliance expectations and enforcement trends. As regulatory landscapes continue to shift, businesses that integrate legal risk analysis into their cybersecurity decision-making frameworks will be better positioned to mitigate both legal exposure and reputational damage. Overarchingly, organizations must recognize that cybersecurity is not just a technical issue, it is a fundamental legal and governance concern that requires a well-coordinated, cross-functional approach.