Skip to content
Illustration of a pen scribbling a statement with a red background.

Illustration by iStock; Security Management

Legal Report: Instagram Faces €405 Million Fine for Mishandling Underage Users’ Data

Judicial Decisions.

Obstruction. A U.S. federal jury found former Uber CSO Joseph Sullivan guilty of obstructing justice and misprision of a felony for keeping a data breach from a federal regulator.

The charges were linked to an attempt to hide a 2016 hack of Uber, which occurred while Sullivan was serving as the company’s CSO. Malicious actors informed Sullivan that they had accessed and downloaded an Uber database, which affected 57 million passengers and drivers. It also contained personally identifying information (PII) including driver’s license numbers of Uber drivers, according to the U.S. Department of Justice (DOJ).

After learning of the breach, Sullivan told then-Uber CEO Travis Kalanick about the incident. Kalanick approved Sullivan’s strategy to arrange to pay the attackers $100,000 in Bitcoin through a bug bounty program in return for the hackers remaining silent about the attack. Uber’s chief privacy lawyer and head of communications were also aware, according to court testimony. None of them informed the U.S. Federal Trade Commission, which was investigating Uber for a separate data breach.

Investors forced Kalanick to resign in 2017, and the company’s new CEO—Dara Khosrowshahi—fired Sullivan after becoming aware of the extent of the breach. The DOJ then charged Sullivan for his role in the cover-up.

The trial marked the first major criminal case brought against an executive for a data breach committed by outside actors. As of press time, Sullivan’s sentencing had not been scheduled. He faces a maximum of five years in prison for obstruction and three years in prison for the misprision charges. (United States v. Joseph Sullivan, U.S. District Court for Northern District of California, No. 20-cr-00337-WHO, 2022)

Negligence. Three defendants—the owner of a Florida shopping plaza, the plaza’s managing company, and a liquor store that was a tenant in the plaza—paid $4.55 million to settle a wrongful death suit.
Trabis Ward was shot and killed in October 2020 at the plaza, which was managed by Fitzgerald Group, LLC, and owned by American Federated Title Corp.

Ward’s estate argued that although the defendants were aware that the plaza’s liquor store, J&L Liquors, also operated as a late-night bar, they were negligent in their security practices and efforts because they failed to curb loitering and partying, which created the environment for the shooting.
The defendants alleged that the shooting was a targeted crime instead of random. A suspect had not been arrested as of Security Management’s press time.

J&L paid $1 million—the limit of its insurance policy—while American Federated and Fitzgerald Group together settled for $3.55 million. (Doris Deberry, as personal representative of the Estate of Trabis Ward v. American Federated Title Corp., et al, 7th Circuit Court for Broward County Florida, No. CACE-21-013871, 2022)

Geofencing. A U.S. federal judge sentenced Okello Chatrie, 27, to nearly 12 years in prison for the armed robbery of Call Federal Credit Union in Virginia.
In May 2019, Chatrie entered the bank and demanded money from bank employees at gunpoint. He pled guilty to robbing the bank of almost $200,000 and of brandishing a firearm during the robbery, according to the DOJ.

Key evidence in the case was obtained through a geofence warrant—a broad search warrant that allows law enforcement to obtain Google location history to determine who was near the bank at the time of the robbery.

Although the judge ruled that the warrant violated the U.S. Constitution’s protection against unreasonable searches, the evidence was still permitted in the case since the detective who secured the warrant acted in “good faith” by consulting with prosecutors prior to requesting the geofence warrant.

“Nonetheless, the court notes its deep concern…that current Fourth Amendment doctrine may be materially lagging behind technological innovations,” the judge wrote. (United States v. Okello T. Chatrie, U.S. District Court for Eastern District of Virginia, No. 19-cr-00130, 2022)


Privacy. Australia’s Federal Court ordered Google LLC to pay a $60 million AUD ($40.6 million) fine for misrepresentations to Android customers about how to opt out of the collection and use of their PII data.

Between 30 April and 19 December in 2018, Google informed customers that the location history setting on their devices was the only account setting that controlled the collection, storage, and use of their location data, according to the Australia Competition and Consumer Commission (ACCC). Another setting on the devices—Web & App Activity—was enabled by default, however, and allowed Google to collect PII data.

On top of the fine, the court ordered Google to implement policies that include a commitment to compliance, as well as training staff about related privacy laws. (Australian Competition and Consumer Commission v. Google LLC, Federal Court of Australia, No. NSD 1760 of 2019, 2022)


U.S. States

Ransomware. North Carolina and Florida recently enacted laws banning state agencies from paying a ransom in response to a ransomware incident.
Florida’s governor approved CS/HB 7055, which amended the State Cybersecurity Act and became effective 1 July. If a state agency, county, or municipality—including public schools or universities—is attacked with ransomware, it must notify the state’s Cybersecurity Operations Center and the Law Enforcement Department’s Cybercrime Office within 12 hours of discovering the incident. Florida’s amended law prohibits the state target from paying or in any way complying with ransom demands.

North Carolina became the first U.S. state to enact this kind of legislation in April 2022. The state updated Article 84 of its General Statutes, which not only bans state agencies and local governments from paying a ransom demand from a ransomware attack, but also prohibits them from any communication with the attackers. Any public entities hit by ransomware must consult the state’s Department of Technology.

Privacy. The City Council of Houston, Texas, approved an ordinance instructing certain business owners to install cameras on company property. The surveillance, paid for by the company, would operate without public oversight.

The companies—specifically bars, convenience stores, game rooms, nightclubs, and “sexually oriented businesses”—are required to provide “footage in connection with crime investigations” to law enforcement within three days of a request and must store the footage for at least 30 days, according to the law. Ordinance No. 25022-307 does not specify that law enforcement must obtain a warrant to access the footage.



Privacy. Ireland’s Data Protection Commission issued social network platform Instagram a €405 million ($402 million) fine for handling underage users’ data in a way that violated privacy regulations.

The data privacy regulator began investigating Instagram in 2020, focusing on users ages 13 through 17 who ran business accounts on the platform. Investigators determined that Instagram violated the EU’s General Data Protection Regulation (GDPR) in how it displayed personal details on business account profiles, including email addresses and phone numbers.

Some users indicated that they switched from personal to business accounts on the platform to access analytics tools, including statistics on liked posts and profile visits.

Instagram said it will appeal the fine, which is the second-largest throughout the EU for violations of the GDPR rules. In statements to media outlets, the company said it disagreed with how the fine was determined and it updated its privacy settings more than one year ago.


Data breaches. The Cyberspace Administration issued ride-hailing company Didi an 8.026 billion yuan ($1.15 billion) fine for violating multiple Chinese laws. Two company executives—CEO Cheng Wei and President Liu Qing—were each fined 1 million yuan ($143,552).

The agency began investigating Didi’s network security in 2021 and determined it violated the Network Security Law, Data Security Law, and Personal Information Protection Law. The agency concluded that Didi illegally collected customer information since 2015.

U.S. States

Crypto. The New York State Department of Financial Services (NYDFS) levied a $30 million fine against Robinhood’s crypto division and alleged the division did not transition to a more appropriate method of monitoring activity as the company’s user size and transaction volume increased.

Along with the fine—which closes a 2020 NYDFS investigation into the anti-money laundering and cybersecurity issues—Robinhood must retain a third-party consultant to ensure related regulatory compliance.