Two landmark cases involving public companies and their cybersecurity executives offer some crucial lessons in corporate governance, transparency, program boundaries, and data privacy.
One case was the first Securities and Exchange Commission enforcement action that charged a chief information security officer, or CISO, as well as the company and the first accounting control claim, based on cybersecurity failings.
The other case, involving Uber Technologies Inc., was the first criminal prosecution and conviction of a chief security officer, or CSO, concerning information provided after a data breach.
SolarWinds Case
The SEC filed a complaint against SolarWinds and CISO Timothy in October 2023 alleging securities fraud, negligence-based claims, and reporting violations.
Two categories of control-related violations were raised. SolarWinds was accused of internal accounting controls violations based on a novel theory that the cybersecurity controls at issue fell within the statutory definition of “internal accounting controls” because they concerned the safeguarding of SolarWinds’ corporate assets. The SEC also alleged that SolarWinds’ disclosure controls and procedures weren’t reasonably designed to ensure timely, accurate, and complete disclosures regarding cybersecurity.
The US District Court for Southern District of New York dismissed the majority of the SEC’s claims, including many of the alleged disclosure violations and both of the control-related charges.
The parties notified the court in July 2025 that they reached a settlement pending SEC approval, but the putative settlement never materialized. Instead, the SEC moved to dismiss all remaining claims with prejudice on Nov 20.
Following this case, public companies continue to face risks on a variety of fronts.
We expect the SEC to bring enforcement actions to the extent that it identifies fraudulent disclosures related to cyber incidents or security measures. To the extent there is a perceived decline in enforcement under the current administration, companies should be mindful that the statute of limitations is generally longer than any administration.
Further, any enforcement gap at the federal level may invite state regulators to bring their own enforcement actions.
Uber Case
The second case involves the recent affirmance of the criminal trial conviction of the former Uber CSO by the US Court of Appeals for the Ninth Circuit following denial of a petition for rehearing.
A 2016 cyberattack exposed the “names and driver’s license numbers of around 600,000 drivers” and “personal information of 57 million Uber users.” At the time, the Federal Trade Commission was conducting an investigation concerning the company’s data security for an earlier 2014 incident involving access to the personal information of more than 100,000 drivers.
In the investigation of the 2014 incident, Uber CSO and Deputy General Counsel Joseph Sullivan made presentations to the FTC about Uber’s security, was deposed, and approved statements concerning Uber’s data security practices. The investigation also focused on “the company’s ‘alleged deceptive statements’ about those practices.”
While his deposition and the statements he approved post-dated the 2016 incident, he didn’t disclose the 2016 incident, although the cyberattacks involved similar access to credentials stored on the same platform.
Sullivan and others tracked down the hackers and paid them $100,000 in Bitcoin under the company’s bug bounty program, asked the hackers to maintain confidentiality and destroy the data that they stole, and concealed the breach from regulators and new management.
Sullivan drafted the nondisclosure agreement for the hackers and informed the CEO of the “contract,” but didn’t inform Uber’s general counsel.
Ultimately, Sullivan was indicted and convicted at a jury trial on two counts: obstruction of justice and misprision of a felony. In affirming the conviction last March, the Ninth Circuit rejected the argument that the post hoc authorization through the nondisclosure agreement and bug bounty program “retroactively rendered the hackers’ access authorized—thereby erasing their felony.”
Separately, the company entered into a non-prosecution agreement with the Department of Justice. The FTC revised its complaint and imposed stricter reporting obligations on Uber. All 50 states and Washington, DC, reached a settlement for $148 million on the undisclosed incident.
Fines of $1.2 million were also imposed by the UK’s Information Commissioner’s Office and the Dutch Data Protection Authority for the same incident. Federal prosecutors charged two hackers who pleaded guilty to violating the Computer Fraud and Abuse Act.
Key Lessons
Transparency is mandatory. Concealing a breach including the facts and circumstances—particularly during regulatory inquiries—can lead to personal criminal liability.Some significant penalties have been imposed over failure to notify following a data breach or the insufficiency of the notice.
As the Ninth Circuit stated when affirming Sullivan’s conviction, “The jury’s verdict in this case underscores the importance of transparency even in failure situations— especially when such failures are the subject of federal investigation.”
Bug bounty programs have limits. Review and audit bug bounty programs to ensure there are clear boundaries and documented approval processes, and that they aren’t being used for criminal incidents.
Governance and escalation protocols matter. Place disclosure decisions under legal and board oversight. Don’t leave oversight of disclosure and other obligations with the security team alone.Following the adoption of the SEC’s cybersecurity disclosure rules, many public companies have implemented policies and procedures to assess disclosure obligations in the wake of cyber incidents.
Assess the current cybersecurity climate. Ensure companies have a complete understanding of the cyberthreat landscape as it evolves and based on risk assessments of the particular threats that apply to their business. This will inform disclosure decisions, enable companies to better tailor controls, and facilitate the incident response process in the event of a breach.
It’s important to be transparent and don’t conceal, don’t let a bug bounty become a coverup, keep senior management (including your CEO and general counsel) and your board in the loop, and don’t rest on your laurels—both senior management and the board need frequent updates on what is a fluid and rapidly evolving cybersecurity landscape.
Pillsbury represented an international public company in connection with the SEC’s SolarWinds investigation. At a prior firm, Krotoski assisted in the representation of a witness who testified at the trial of ex-Uber CSO Joseph Sullivan.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
David Oliwenstein is partner at Pillsbury and leads its securities enforcement practice.
Bruce Ericson, a partner at Pillsbury, is leader of the firm’s securities litigation team.
Mark Krotosk, a partner, leads Pillsbury’s cyber disputes team and cartel enforcement team.
Write for Us: Author Guidelines
To contact the editors responsible for this story: