Uber’s ex-CSO case illustrates tightening legal restrictions on data protection

The topic of legal frameworks around data retention, security, eDiscovery and other considerations has been raised time and again; after all, with data volumes continuing to grow and awareness of its importance growing in turn, it’s only natural that governments and regulatory bodies worldwide begin to respond by tightening legal restrictions and establishing further data protections. Part of this response is neatly illustrated by the news that Uber’s former Chief Security Officer, Joe Sullivan, has been sentenced to three years of probation for his role in covering up a data breach.

The now infamous case – which took place in 2016 – saw Sullivan become aware of a large-scale data breach that had potentially exposed upwards of 57 million riders and drivers. Being already involved in a Federal Trade Commission investigation of earlier data leaks, Sullivan sought to keep the second leak quiet – ending up paying the hackers in question using Uber’s bug bounty program.

Thanks to these actions, Sullivan was convicted in October of obstruction of justice (18 U.S.C. § 1505) and misprision of a felony (18 U.S.C. § 4) – for both attempting to obstruct the then-ongoing FTC investigation, as well as attempting to hide potential data loss from impacted consumers.

What does this ruling mean for organizations moving forwards?

The largest immediate impact of the ruling and now sentencing of Sullivan is going to be in how data handling proceeds. In the United States, the recently passed law requiring critical infrastructure companies to report certain data security incidents to the government is likely to not go into effect for another two years. At the same time, however, the current case has demonstrated that the US government views non-reporting of data leaks as deliberate covering up of the same, which has far-reaching ramifications for organizations active in the American market moving forward.

The legal requirements moving forward that organizations have to announce data leaks – both to relevant regulatory bodies and to individuals impacted – coincides with tightening legal restrictions set by GDPR and other international agreements about what data can be preserved to begin with. As such, organizations are presented with a problem of increasing complexity in terms of how they store, identify, and process data.

Streamline your data handling with contentACCESS

Ensure easier compliance and complete control over your data with contentACCESS Archive and Backup. Take advantage of a number of data handling functions, including easy compatibility with eDiscovery legal requirements. Ensure compliance with legal retention policies including the Right To Be Forgotten, while maintaining data access monitoring and auditing options.

As requirements become more complex, it’s imperative that your organization has the tools on hand to prepare for success. We’re here to help you achieve that, by handing you the possibilities you need for the future. If you’d like to learn more about contentACCESS and how it can revolutionize your data handling and data security, contact us. Our team will be happy to schedule a free consultation where we can go over your use case and how contentACCESS meets your needs.


Take the best steps to protect your data – with TECH-ARROW.

Archive all your O365 data with contentACCESS

by Matúš Koronthály