9th Circuit panel skeptical of appeal by ex-Uber security chief and attorney

A 9th U.S. Circuit Court of Appeals panel appeared very skeptical Tuesday of a bid by former Uber Technologies Inc. Deputy General Counsel and Chief Security Officer Joseph Sullivan to reverse his conviction for obstruction of a Federal Trade Commission proceeding and a second felony.

Senior 9th Circuit Judge M. Margaret McKeown cut off Orrick, Herrington & Sutcliffe LLP partner Christopher J. Cariello, who represents Sullivan, early in his argument by noting that she was bound by a 2006 9th Circuit precedent. U.S. v. Bhagat, 436 F.3d 1140 (9th Circ., filed Jan. 27, 2003).

Orrick attorneys had argued in their briefs that the decision had been overturned by subsequent U.S. Supreme Court authority and that Senior U.S. District Judge William H. Orrick III in San Francisco failed to instruct the jury that prosecutors must prove a nexus between alleged conduct and the FTC proceeding.

But McKeown said, "We're bound by Bhagat," a ruling which Cariello conceded reached the opposite conclusion.

"We are asking this panel to overturn circuit precedent," he replied. U.S. v. Sullivan, 23-927 (9th Circ., filed May 15, 2023).

On the other count, misprision of a felony, McKeown questioned whether Uber's use of a bounty program that allowed companies to pay researchers for finding data breaches applied to Sullivan's payment of $100,000 to two hackers and then not reporting that to the FTC.

Cariello, based in Orrick's New York office, said Uber used the "Bug Bounty" program to pay the hackers, Vasile Mereacre and Brandon Glover, adding that company in-house counsel testified that once a payment is made, it is authorized. He also said Sullivan kept the company's then-CEO, Travis Kalanick, informed of his actions.

"In history, at the time, no one ever had been prosecuted after a bug bounty agreement because the understanding on the security team is that you're authorized after that," he told the panel.

"It seems to me that before the access, they didn't really qualify for the 'Bug Bounty' program," McKeown said. "There is this retroactive pasting over and that is what is troubling here."

"How do we distinguish this post-hack ratification theory with the coverup the government has charged?" asked 9th Circuit Judge Anthony D. Johnstone.

"The question is not whether they are correct," Cariello said. "The question is whether they reasonably believed that."

The prosecution and conviction of Sullivan, a former federal prosecutor, has raised questions about how companies will handle data breaches and reporting requirements.

Jennie W. VonCannon, a partner with Crowell & Moring LLP and former federal prosecutor, watched the hearing and predicted that Sullivan would not prevail in his appeal based on the comments of the judges - including 9th Circuit Judge Ana I. de Alba, who told Cariello the payment "does look like a coverup."

VonCannon downplayed the impact, saying she thinks "the facts of this case are pretty unique to Sullivan -- using a bug bounty program retroactively to make a payment [10 times the normal amount] to hackers that exfiltrated data during an FTC investigation of the company for the same vulnerability that caused a previous breach.

"But no matter what happens with Sullivan's appeal, it is still on the minds of chief information security officers and chief technology officers everywhere that they can potentially be personally prosecuted for how they conduct themselves during and after a cyber incident," VonCannon said.

"For that reason alone, I think that it is very unlikely that companies will use a bug bounty program in the way that Sullivan did here to deal with hackers," she added.

All three members of the panel were appointed by Democratic presidents.

Assistant U.S. Attorney Ross D. Mazer said the case "represents a flagrant example of obstruction of justice."

In May 2023, Orrick sentenced Sullivan to three years' probation, 200 hours of community service and a $50,000 fine. The judge rejected prosecutors' request for a15-month jail sentence because it was the first case of its kind.

If Sullivan's conviction is upheld by the three-judge panel, his attorneys could seek en banc review by the full 9th Circuit.