Question of the Week — Should Companies Face Tougher Consequences for Cybersecurity Breaches?
Last month, a whistleblower represented by Constantine Cannon became the first person to win a False Claims Act settlement for cybersecurity fraud. The whistleblower, a former Cisco Systems employee, allegedly warned the company back in 2008 that its Video Surveillance Manager (VSM) system was highly vulnerable to attacks by hackers. The system’s flaws allegedly could have enabled hackers to delete video footage, monitor footage, and even disable the system entirely. Among other public entities, Cisco allegedly sold the system to the U.S. Military, the Los Angeles International Airport, the Washington D.C. police, and the New York City public transit authority.
All of these entities relied on Cisco’s product to protect the public. Nonetheless, Cisco allegedly continued to sell its VSM system—without fixing the system’s vulnerabilities or warning its customers—for more than five years after learning of the issue. Only then did it inform customers of the flaw and release a solution. As the whistleblower explained, the case highlights the responsibilities that (should) come with the immense power wielded by the tech industry: “The tech industry needs to fulfill its professional responsibility to protect the public from their products and services. There’s this culture that tends to prioritize profit and reputation over doing what’s right. I hope coming forward with my experience causes others in the tech community to think about their ethical mandate.”
But is $8.6m—the amount paid by Cisco to end the whistleblower’s lawsuit—enough to get tech companies to take their ethical obligations seriously? Cisco generated an astounding $49.33B in revenue for 2018 alone. Will $8.6m cause companies to rethink their actions? Or will the penalty be viewed as a paltry cost of doing business?
Tagged in: Cybersecurity and Data Breaches,