The Government Is Upping The Ante On Cybersecurity With Significant False Claims Act Consequences

Marking the first payout on a False Claims Act (FCA) case brought over a failure to meet cybersecurity standards, Cisco Systems, Inc. has agreed to pay $8.6 million to settle a whistleblower's complaint that the company improperly sold video surveillance systems with known vulnerabilities to various federal and state government agencies, including Homeland Security, the Secret Service, the army, the navy, the marine corps, the air force, and the Federal Emergency Management Agency. This settlement underscores the importance of government contractors understanding and complying with applicable cybersecurity standards, and of rapid reporting when companies detect non-compliance, even if, as in the case of Cisco, no actual cybersecurity breach was alleged.

Whistleblower James Glenn initially filed the case under seal in 2011, but the case was not unsealed until July 31, 2019. According to the complaint, while working for a Danish networking company and Cisco partner in 2008, Glenn was testing a line of Cisco products known as the Video Surveillance Manager (VSM) when he discovered security risks in the product's design. Glenn realized that he could hack into the video software and take over the surveillance system without being detected, as well as add and delete video streams. According to the complaint, these security flaws also potentially compromised the security of any other computer or systems connected to the product. Glenn reported these security defects to his management team and submitted a report on the vulnerabilities to Cisco. A few months after his report, however, Glenn was laid off as part of the company's supposed cost-cutting measures.

Cisco took no action to correct the vulnerabilities with the software but instead continued to sell the product without any notice to its customers of the system's vulnerabilities. In 2011, Glenn contacted the Federal Bureau of Investigation (FBI) to discuss the issue, and filed his complaint soon after. Cisco finally issued a security alert in 2013 to inform customers of the flaw, along with a solution to the security problems.

Glenn argued two theories of FCA liability in his complaint. The first was that the VSM was worthless to government customers because it failed to enhance the security of the agencies that purchased it, and in many cases actually reduced the protection provided by other security systems. The second was that Cisco's claims were false because Cisco failed to comply with...