Cisco’s $8.6 Million False Claims Act Settlement Signals Viability of Cybersecurity Claims Under the False Claims Act
On July 31, 2019, Cisco Systems, Inc. (“Cisco”) agreed to pay $8.6 million to settle a False Claims Act (“FCA”) whistleblower allegation that it sold video surveillance equipment to government agencies knowing the equipment was susceptible to cyber-attack.1 The FCA, 31 U.S.C. §§ 3729 – 3733, provides liability for any person who knowingly submits false claims to the government. The Cisco settlement is believed to be the first FCA payout for a cybersecurity-related allegation, signaling increased scrutiny and enforcement risks for companies marketing and selling technical products to federal, state, and local governments where such products are subject to data and security mishandling.
Among other prohibitions, the FCA prohibits knowingly presenting, or causing to be presented, to the federal government a false or fraudulent claim for payment or approval. The FCA allows a relator – a person with information about an FCA violation – to bring an action on behalf of the United States, known as a qui tam suit, and to potentially share in any related recovery. Individual states also have enacted their own false claims act statutes that prohibit similar misconduct.
This case was initially filed under seal by relator James Glenn in 2011. Glenn previously worked for a Danish networking company and Cisco partner. According to the complaint, Glenn was testing a line of Cisco products known as Video Surveillance Manager2 in 2008 when he discovered that there were security risks in the products’ design.3
Glenn reported to his management team that the products were “riddled with serious security defects.” In addition, he submitted a report on the vulnerabilities to Cisco’s Product Security Incident Response Team (“PSIRT”), including detailed descriptions of the issues and snapshots of the tests performed. Receiving no response, Glenn followed up with PSIRT on multiple occasions. A few months later, Glenn was fired from his position, with the company citing economic issues as the basis for the termination.4
Glenn continued to monitor for news that Cisco had fixed or was fixing the issues he presented, but no announcements were made. In 2011, he filed the FCA complaint, alleging that, despite knowledge of the system vulnerabilities, Cisco marketed the Video Surveillance Manager line of products to federal government agencies, including the Department of Homeland Security and the Army. Glenn’s whistleblower complaint was joined by the United States, the District of Columbia and 15 individual states.5
Almost two years after the suit was filed, in mid-2013, Cisco acknowledged that there were “multiple security vulnerabilities  in versions of Cisco [Video Surveillance Manager] prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system,” including the ability to alter camera feeds.6 Cisco subsequently agreed to settle the lawsuit. Under the terms of the settlement, Cisco will pay $2.6 million to the federal government to resolve FCA claims, as much as $6 million to the 15 states and DC to resolve claims under similar state laws, and as much as $1.6 million to Mr. Glenn.7
What It Means For You
Cisco’s agreement to settle this matter suggests that cybersecurity-related claims under the FCA are viable. With fast-paced developments in technology and increasing pressure on companies to devise ways to counteract cyberattacks, the technology, security, and cyber industries may well present a growing target for FCA enforcement. In addition, as made clear by the Cisco case, successful enforcement may not depend on proof of an actual cyber breach; rather, the mere possibility of a breach could be sufficient. As compared to the $8 million settlement here, the damages could be higher in a case where a data breach does, in fact, occur.
Companies contracting with the government must remain aware of the federal government’s focus on cybersecurity compliance. This is particularly true for companies contracting with the Department of Defense (“DoD”), which has
announced that it will develop new cybersecurity standards called the Cybersecurity Maturity Model Certification (“CMMC”) for implementation in 2020. DoD has also
stated that it will treat cybersecurity as an allowable cost. As a result, contractors will be hard pressed to find a valid excuse for not maintaining compliant cybersecurity practices.
Vinson & Elkins’ government contracts practice has kept a close eye on these issues. Its lawyers Jamie F. Tabb, Elizabeth Krabill McIntyre, and John M. Satira reported on the
suspension of Perceptics, LLC from doing business with the federal government after a highly publicized cyberattack was revealed in June 2019. We will continue to report on noteworthy developments in this area.
Visit our website to learn more about V&E’s Government Investigations & White Collar Criminal Defense practice. For more information, please contact Vinson & Elkins lawyers Amy Riella, Jamie Tabb, or Francis Yang.
1See Stipulation of Dismissal (ECF No. 75), No. 1:11-cv-00400-RJA (W.D.N.Y., filed May 10, 2011).
2 The Video Surveillance Manager software is meant to control video surveillance cameras and to store and manipulate the videos created by the cameras.
3 Complaint (ECF No. 1), No. 1:11-cv-00400-RJA (W.D.N.Y., filed May 10, 2011).