In what may be the first settlement of an FCA case involving cybersecurity fraud, Cisco Systems has agreed to pay $8.6 million to settle a whistleblower’s claim that it improperly sold video surveillance software with known vulnerabilities to federal and state governments. The whistleblower, James Glenn, was a Cisco subcontractor who claimed that even a person with “moderate knowledge of software/network security” could gain access to Cisco’s video feeds; access users’ passwords; access all stored data on the system; modify or delete video feeds; and even grant themselves “administrator” privileges within the system. Glenn alleged that Cisco had known for years about these critical security flaws in its “Video Surveillance Manager” (VSM) program, but had never told its government customers and continued selling to them.
This case connects the dots from cybersecurity noncompliance to FCA liability. The theory of the case was that Cisco’s non-disclosure of known cyber vulnerabilities rendered its federal and state claims false or fraudulent. Specifically, the complaint alleged (1) that VSM was “worthless,” tainting all claims submitted for that product; (2) that VSM did not comply with FISMA or other federal requirements, which rendered false Cisco’s express and implied representations of compliance; and (3) that because its contracts entailed a duty to repair or replace non-conforming goods, Cisco’s failure to do so was a knowing avoidance of an obligation to the government, i.e., a reverse false claim. Although the settlement agreement may not admit liability on these theories, the settlement and its price tag demonstrate how exposed cyber companies are when they deal with the government.
As we discussed in a prior blog post, we expect to see many other cyber FCA cases unsealed in the coming years. The Cisco case is the culmination of a whistleblower complaint filed more than eight years ago. DOJ intervened in the suit for the purpose of settlement, joined by eighteen states and the District of Columbia.