Constantine Cannon Whistleblower Client Wins First-Ever False Claims Act Settlement for Cybersecurity Fraud
Cisco Systems, a Fortune 100 Company, was alleged to be selling security surveillance technology to federal, state, and local agencies while fully conscious of its serious vulnerabilities.
WASHINGTON, D.C., July 31, 2019 – In the first cybersecurity whistleblower case ever successfully litigated under the False Claims Act, Cisco Systems, Inc. has agreed to an $8.6 million settlement to resolve allegations it knowingly sold vulnerable video surveillance software to federal, state and local government agencies, exposing government systems to the risk of unauthorized access and the manipulation of vital information.
This qui tam settlement, unsealed today, resolves claims under the False Claims Acts of the United States and other jurisdictions arising from Cisco’s sale of defective video surveillance software to the federal government, 15 plaintiff states, and the District of Columbia.
The whistleblower alerted the government that, beginning in 2008, Cisco allegedly concealed critical security vulnerabilities in the video surveillance software it was selling to government entities, including the Department of Homeland Security, the Secret Service, the Army, the Navy, the Air Force, the Marine Corps and the Federal Emergency Management Agency. James Glenn was working for a Cisco distribution partner in Denmark when he first discovered and reported to Cisco that its Video Surveillance Manager (VSM), a bundled, centralized video surveillance system, could be easily exploited.
The whistleblower submitted several detailed reports to Cisco allegedly revealing that anyone with a moderate grasp of network security could exploit this software to gain unauthorized access to stored data, bypass physical security systems, and gain “administrative” access to the entire network of a government agency, all without detection. Despite the repeated internal warnings of VSM’s flaws, Cisco allegedly continued to sell the vulnerable software to high-profile infrastructure targets.
The whistleblower filed an action under the False Claims Act, which permits individuals to report fraud and misconduct in federal government contracts and programs by filing a qui tam lawsuit on the government’s behalf, and provides for financial rewards to whistleblowers based on recovery by the government. The Federal Acquisition Regulation and other applicable procurement standards require government information technology contractors to comply with basic cybersecurity controls, including those set forth by the National Institute of Standards and Technology.
“The tech industry needs to fulfill its professional responsibility to protect the public from their products and services,” said Mr. Glenn. “There’s this culture that tends to prioritize profit and reputation over doing what’s right. I hope coming forward with my experience causes others in the tech community to think about their ethical mandate.”
Mr. Glenn is represented by Constantine Cannon LLP and its whistleblower attorneys Anne Hayes Hartman, Michael Ronickher, and Hamsa Mahendranathan, and co-counsel Claire Sylvia at Phillips & Cohen LLP. Brian Melber at Personius Melber LLP served as local counsel.
“Citizens depend on the tech industry to keep our data secure, and every data breach we read about shakes our confidence,” said Michael Ronickher, a partner at Constantine Cannon’s Washington, D.C. office. “This case is a critical step forward in enforcement of cybersecurity requirements – the first time the government has used a whistleblower’s information to hold a major provider accountable.”
Hamsa Mahendranathan, an attorney in Constantine Cannon’s New York office added “This video surveillance software is used by airports, police departments, and schools. It is supposed to make us safer, making the vulnerabilities at issue all the more troubling. As we put more trust in tech companies to keep us safe, we need to encourage industry whistleblowers to come forward more than ever.”
Mary Inman, a partner who launched Constantine Cannon’s international whistleblower practice in London in 2017 said: “As business is increasingly conducted on a global scale, it is terrific to see that the fight against fraud on American taxpayers is also going global. Mr. Glenn, who worked in Denmark at NetDesign, a Cisco subcontractor, is part of a growing army of international whistleblowers who are being mobilized as citizen watchdogs to be the eyes and ears of U.S. authorities abroad.”
To read more about whistleblower rewards for cybersecurity breaches, see the Constantine Cannon blog post, “Blowing the Whistle on Data Breaches and Cybersecurity Flaws.”
About Constantine Cannon LLP
Constantine Cannon has the world’s largest international whistleblower practice, with offices in New York, Washington, D.C., San Francisco, and London. The firm’s team of dedicated whistleblower lawyers represent whistleblowers under federal and state False Claims Acts as well as the whistleblower programs of the IRS, SEC, CFTC, DOT, and others. . ’
Constantine Cannon’s experience spans across multiple practice areas that include antitrust and complex commercial litigation, whistleblower representation, government relations, securities, and e-discovery. The firm’s antitrust practice is among the largest and most well recognized in the nation.