In United States v. Sullivan, --- F.4th ---, No. 23-927 (9th Cir. 2024), the Court affirmed Sullivan’s jury conviction for obstruction of justice and misprision of a felony arising from his efforts, while the Chief Security Officer for Uber Technologies, to cover up a major data breach even as Uber underwent investigation by the Federal Trade Commission into the company’s data security practices.
Here are some key parts of the opinion.
Sullivan claims error with respect to two of his proposed jury instructions regarding the obstruction conviction—the “nexus” instruction and the “duty to disclose” instruction.In accord with the statutory language, the jurors were instructed: “For the defendant to be found guilty [under Section 1505], the government must prove each of the following elements beyond a reasonable doubt: First, there was a proceeding pending before a department or agency of the United States; Second, the defendant was aware of the proceeding; and Third, the defendant intentionally endeavored corruptly to influence, obstruct, or impede the pending proceeding.” This instruction precisely mirrors the elements of Section 1505, as spelled out in United States v. Price, 951 F.2d 1028, 1031 (9th Cir. 1991).Ninth Circuit precedent forecloses Sullivan’s argument. We held in United States v. Bhagat that there is no “need to supplement the Price instructions with additional elements,” including a “nexus” element, for a conviction under Section 1505.Sullivan also claims that the district court erred by rejecting his proposed “duty to disclose” instruction: that, if the basis of the obstruction-of-justice conviction was Sullivan’s “withholding of information, the government must prove beyond a reasonable doubt that [he] had a duty to disclose that information to the FTC.” Sullivan contends that, without this instruction, the jury may have convicted on a theory that was invalid under Section 1505—that is, inaction by a defendant under no duty to disclose. He urges application of the Yates rule that “a verdict [is required] to be set aside in cases where the verdict is supportable on one ground, but not on another, and it is impossible to tell which ground the jury selected.”The Yates rule applies only to disjunctive charges and theories of culpability. Thus, if multiple “ways in which an offense may be committed” are alleged conjunctively in one count, then “proof of any one of those acts conjunctively charged may establish guilt,” and Yates is inapplicable.A tandem prosecution under Section 2(b) and a substantive criminal statute presents conjunctive theories of culpability. In this context, Section 2(b) “is considered embodied in full in every federal indictment.” Therefore, if a theory based on the inaction of a defendant under no duty to disclose would be valid under either Section 2(b) or Section 1505, then the instruction was not in error.Section 2(b) also does not require a defendant to have a duty to disclose if prosecuted for inaction. Singh, 979 F.3d at 717–18 (concluding that the defendant need not have a duty to disclose, so long as the third party who does the act has such a duty). Sullivan concedes that “Uber was duty-bound to respond to formal FTC inquiries issued to Uber.”We need not reach the question of validity under Section 1505. Because the legal theories under Section 1505 and Section 2(b) are conjunctive, the validity under Section 2(b) alone renders the omission of a duty-to-disclose instruction proper.We now turn to Sullivan’s argument that the evidence of his alleged misprision was insufficient as a matter of law.To establish misprision, the government is obliged to show that “the principal committed and completed the felony alleged.” Here, that meant proving that the hackers had “intentionally accesse[d]” Uber’s computers “without authorization . . . and thereby obtain[ed]” information from those “protected computer[s],” in violation of the CFAA.The hackers’ use of stolen credentials to access protected, private servers was a typical CFAA violation.Sullivan argues that Uber’s post hoc authorization, via the NDA, retroactively rendered the hackers’ access authorized—thereby erasing their felony. But this is a false premise, inconsistent with the most plain and natural reading of the CFAA.Finally, we address Sullivan’s contention that the district court abused its discretion in permitting the introduction of the guilty plea agreement signed by one of the hackers.Any unfair prejudice to the defendant resulting from the plea’s admission into evidence does not substantially outweigh the plea’s probative value. Because the hacker and Sullivan pleaded guilty to separate crimes, the fact of this plea does not improperly impute blame for the hacker’s conduct to Sullivan.
