Cybersecurity and Data Breaches

Cisco Systems, Inc. – Government Contract Fraud/Non-Conforming Product ($8.6 million)

Constantine Cannon represented whistleblower James Glenn against Cisco in the first cybersecurity whistleblower case ever successfully resolved under the False Claims Act. Cisco Systems, Inc. agreed to an $8.6 million settlement to resolve allegations it knowingly sold vulnerable video surveillance software to federal, state and local government agencies, exposing government systems to the risk of unauthorized access and the manipulation of vital information. The whistleblower, who worked in Europe for a Cisco partner, had reported critical security vulnerabilities in the software to Cisco, but Cisco had continued to sell the technology to government entities, including the District of Columbia and 15 states, despite the fact that the software failed to comply with FAR procurement standards that require basic cybersecurity controls, including those set forth by the National Institute of Standards and Technology.  Read more: Press Release; Whistleblower Insider

July 22, 2019

Credit reporting company Equifax has agreed to pay up to $700 million to resolve claims related to its 2017 data breach in a global settlement with the FTC, the CFPB, and 50 U.S. states and territories.  The settlement will be entered as a stipulated judgment in civil action pending against Equifax, alleging that Equifax failed to take adequate steps to secure its network and consumer data, despite being warned of network vulnerabilities, resulting in a hack that exposed the private information of almost 150 million people.  The settlement provides that defendant will pay between $300 million and $425 million to compensate affected consumers, in addition to a $100 million penalty to the CFPB and $175 million to the states.  Equifax also agreed to take specified steps to improve information security, subject to review by an independent third party.  FTC; CFPB; AG CA; AG NY; AG PA

May 23, 2019

Sixteen states have reached a settlement with the Medical Informatics Engineering and NoMoreClipboard, LLC, which have agreed to pay $900,000 to resolve allegations that the companies violated the Health Insurance Portability and Accountability Act (HIPAA), unfair and deceptive practice laws, notice of data breach statutes, and state personal information protection laws. The companies provide patient portals to healthcare providers, enabling patients to access their health records. Hackers allegedly infiltrated the companies' servers in May 2015, stealing the information of more than 3.9 million individuals. A consent judgment with specific compliance agreements was also entered by the court.  FL; NC

October 16, 2018

Sudhakar Reddy Bonthu, a former manager at Equifax, was sentenced to 8 months of home confinement and fined $50,000 for insider trading related to Equifax's massive data breach in 2017. As a member of a team tasked with quickly developing an online user interface for 100 million possible victims of a data breach at an unnamed company, Bonthu quickly guessed that the company in question was the one he worked for. In violation of company policy as well as federal law, Bonthu then allegedly bought a large quantity of Equifax stock, specifically put options, which allowed him to profit if the value plummeted within a two week period. Six days later, Equifax announced the breach and its stock value plummeted, netting Bonthu more than $75,000 in fraudulently gained profits. USAO NDGA