Source: Tetra Images via Alamy Stock Photo
Former Uber CISO Joseph Sullivan, convicted in 2023 of trying to cover up a data breach, is seeking a new trial, citing procedures omissions from his original trial that his lawyers said tainted the verdict.
Sullivan was initially convicted on charges related to Uber's 2016 data breach and was sentenced to three years of probation for his role in the subsequent coverup.
Sullivan was also ordered to pay a $50,000 fine and perform 200 hours of community service. These penalties were considered too soft by the prosecution, which argued that a 15-month prison term would have been more beneficial in deterring other executives in similar situations.
Now, Sullivan's defense attorneys argued that the jury was not informed of two "key limitations" in the nexus requirement, when Sullivan was initially tried. To convict a defendant under section 1505, the government must prove there was an agency proceeding; that the defendant was aware of that proceeding; and that the defendant intentionally tried to corruptly influence, obstruct, or impede that proceeding. According to the defense, these requirements weren't part of the jury's instructions, which undermined the entire conviction and called for a reversal.
"But at a minimum, each of these errors infects one of the government's core theories of guilt and require a new trial," Sullivan's attorneys argued during this week's hearing.
The prosecution countered that any potential errors in jury instruction were harmless and, ultimately, Sullivan's actions of falsifying documents and authorizing hush money in the form of bug bounties were a clear obstruction of justice.
The court made no decision today, but CISOs, boards of directors, and legal scholars will be watching the ruling, given how Sullivan's conviction has led to more legal scrutiny of and charges against CXOs, especially where compliance with data-handling laws is concerned.