One-time Uber lawyer Craig Clark agreed to testify against his former boss, Joe Sullivan, the company’s security chief when it was hacked in 2016, in exchange for immunity.
But the court needs to have clarity that it was Sullivan, not he, who changed non-disclosure agreements the hackers were asked to sign.
“In my mind it was clear as day that Joe input those changes,” Clark said in cross-examination as part of a criminal obstruction case against Sullivan that started this week in a San Francisco federal district court. Clark’s comments were reported by Courthouse News Service.
Sullivan is accused of obstruction of justice and misprision of a felony in trying to hide a breach affecting tens of millions of people, including a hack of 600,000 driver records.
If Sullivan is convicted of the felony charge, analysts say, he could be the first executive to face jail time for his role in a data breach.
“You can’t put a company in jail,” Chinmayi Sharma, a legal scholar in residence at the University of Texas at Austin, told The New York Times. “You can put an executive in jail. Now, that is on the table.”
Sullivan faces a maximum statutory penalty of five years in prison for the obstruction charge and a maximum three years in prison for the misprision charge, the Department of Justice has said.
‘Bug bounty’ strategy
Clark worked for Sullivan as one of his top lawyers on the security team at the time of the breach.
According to Clark, Sullivan, already dealing with a Federal Trade Commission review of a 2014 data breach, brought up the idea of treating the breach as part of the company’s bug bounty program in which hackers are paid to exploit security weaknesses to head-off real-world breaches. As part of that program, the incident wouldn’t have to be reported to the FTC as a breach.
“I remember Joe asking or saying how can we fit this into bug bounty,” Clark testified, according to the Courthouse report.
Taking the comment as a directive to find a way to make that work, Clark said, he proposed a plan to have the two hackers join the program.
“We needed to have a relationship such as they could be referred to as agents,” Clark testified.
After Sullivan okayed offering $100,000 in digital currency as compensation, Clark drafted a back-dated NDA in which the hackers, in exchange for the money, promise they didn’t take or store any data they obtained in their “research” and permanently deleted or destroyed data related to the company’s vulnerabilities.
Clark said he sent the draft in a Google doc to Sullivan and others on the security team, and when it came back to him, the word “obtained” had been removed along with other changes.
Removing “obtained” changed the way the NDA characterized the incident by making it seem like the hackers had never possessed the data.
“The x'ing out of ‘obtained’ was where it changed from an accurate statement to an inaccurate statement,” Clark said, according to the Courthouse report.
Legal team role
David Angeli, an attorney who’s representing Sullivan in the trial, said his client was being scapegoated by the Uber leadership that was brought in after the company’s controversial founder and CEO, Travis Kalanick, left the company in 2017, and that it was the legal team that decided to treat the incident as something the FTC didn’t need to know about.
“The Uber legal team had all the information it needed” to decide whether the company should report the incident, Angeli said, according to the Times report.
Nor did Sullivan direct anyone to be misleading. “You won’t hear a single witness take that stand and say that Joe Sullivan told them to lie to the FTC or destroy documents or hide what had happened from Uber’s senior management or the Uber legal team,” said Angeli.
Clark’s testimony appears to contradict that, heightening the importance of who directed the change in the NDAs.
In his cross-examination, Angeli reminded Clark that Andrew Dawson, an assistant U.S. attorney who is helping the government with its case against Sullivan, made his promise of immunity contingent on the court knowing who changed the wording in the NDAs.
It was clear, Angeli said in the Courthouse report, “that you wouldn’t get that immunity deal until that issue was cleared up.”
The trial, which opened on September 14, is expected to last a month.