First False Claims Act Settlement Over Flawed Cybersecurity Could Be a Harbinger of the FutureAugust 20, 2019 – Insight
In what appears to be a first under the False Claims Act, a case based on flawed cybersecurity has been settled, for nearly $9 million. On July 31, 2019, the Attorney General of New York announced that, alongside the U.S. Department of Justice, New York, eighteen other states, and the District of Columbia have reached an $8.6 million settlement with Cisco Systems, Inc. (“Cisco”) over sales of surveillance video software allegedly vulnerable to hacking.
The settlement in United States ex rel. Glenn v. Cisco Systems, Inc., No. 1:11-cv-00400-RJA (W.D.N.Y.), includes $2.6 million to the federal government and approximately $6 million to the states and the District of Columbia; a 20% share (approximately $1.75 million) of the total recovery will go to the whistleblower, relator James Glenn.
The qui tam complaint was filed in 2011 by Glenn, a cybersecurity specialist formerly with NetDesign, a Cisco distribution affiliate in Denmark. Glenn alleged that the Cisco product, a software suite called Video Surveillance Manager (VSM), was so insecure that hackers could readily access it to disable surveillance cameras, bypass door locks and alarms, delete security footage, and compromise security in other ways.
The U.S. Secret Service, the Department of Homeland Security, the Federal Emergency Management Agency (FEMA), and all four branches of the U.S. armed forces were among government purchasers of VSM. The product was also purchased for use by the Los Angeles, San Diego, and Chicago Midway International Airports as well as selected Amtrak stations, police departments, and other state and local government entities.
The complaint—unsealed after eight years upon announcement of the settlement—alleged that Cisco knew of the system’s vulnerability as early as October 2008, when Glenn claims he submitted a detailed report to the company, explaining the security flaws, providing photographic and documentary evidence, and warning that VSM required a major overhaul or withdrawal from the market. Glenn says NetDesign fired him in retaliation a few months later; NetDesign says it laid Glenn off for budgetary reasons.
According to Cisco, it published a “best practices manual” in 2009 (the year after Glenn alerted the company) that urged users of its surveillance products to “build necessary security features on top of” Cisco’s software. The company further states that it provided a patch four years later, in 2013, advising customers to “upgrade to [the] new version of the software which addressed security features.” Sales of the older version of the software ended in September 2014.
Partly due to the novel nature of the claims, the qui tam complaint had some unusual features that may have made for considerable challenges at trial. For instance, the complaint made the extreme claim that VSM’s security flaws rendered the product worthless. Another complicating factor was that government agencies purchased the product not from Cisco, but rather from Cisco’s “distribution partners.” Moreover, there was some degree of uncertainty over whether the complaint’s underlying legal theory—that VSM’s flaws rendered it noncompliant with the Federal Information Processing Standards (FIPS)—was sufficient to establish an FCA violation.
Nevertheless, the allegations in the complaint were enough to prompt settlement. The resulting payout by Cisco sounds an alarm to government contractors providing software and digital systems to government entities (whether as stand-alone products, or as components of other goods and services). Early signs are that DOJ, state attorneys-general, and the qui tam bar all perceive the Cisco settlement as marking a shift in the FCA landscape. Contractors thus have a strong incentive to heighten vigilance regarding the security of their digital products and services. Along with more traditional False Claims Act exposure in government acquisitions and healthcare, potential cybersecurity vulnerabilities are now another area of FCA risk companies need to manage as seriously, systematically, and proactively as possible.