Skip Repeated Content

BCLP Partner Renato Mariotti was quoted Oct. 11 by Bloomberg concerning the criminal conviction of former Uber security officer Joseph Sullivan for concealing a data breach, which is a high-profile reminder to corporate executives of their roles—and potential liability—in company security practices. “The Justice Department has made a calculation that they will ultimately empower certain C-suite executives to demand more resources and attention paid to compliance if they hold those executives responsible,” said Renato, a former federal prosecutor. After the hackers demanded $100,000 to not release the data, Sullivan treated them under the company’s bug bounty program, intended to reward white hat hackers who help identify security vulnerabilities, according to prosecutors. That was a misstep, Renato noted, because bug bounty programs should not be treated as a vehicle to covertly resolve hostile cyber attacks. “While bug bounty programs are a tool that numerous companies have used in the face of increasing threats from wrongdoers, juries may react skeptically to those programs, and so companies should reconsider their potential civil and or criminal liability that could come from their connection and participation with those programs,” he said.

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.