Whistleblower Receives First False Claims Act Payout for Cybersecurity Claim
Whistleblower programs that previously focused on traditional concerns such as accounting and FCPA issues should now consider expanding to incorporate company IT and information security teams and account for data protection and cybersecurity-related whistleblower complaints.
On July 31, 2019, Cisco Systems agreed to pay $8.6 million in civil damages—including approximately $1.6 million to a whistleblower—to resolve claims that it sold video surveillance software that had significant security vulnerabilities to local, state, and federal governments. The settlement is the first payout on a False Claims Act ("FCA") case brought over cybersecurity vulnerabilities.
According to the complaint, a subcontractor for Cisco in Denmark alerted the company to the vulnerabilities in November 2008. When the subcontractor discovered in June 2010 that Cisco had not addressed the vulnerabilities, he notified the FBI. Cisco acknowledged the vulnerabilities and released an updated version of the software in July 2013, stopped sales of the software in September 2014, and released a security advisory to entities using the software in 2015. While there were no allegations that the vulnerabilities have been exploited by hackers, they reportedly could have been used to gain administrative access to the video surveillance software and compromise the physical cameras themselves. The vulnerabilities made the software noncompliant with the federal government's National Institute of Standards in Technology ("NIST") framework. Accordingly, Cisco's representations that its products were NIST-compliant formed the basis for the FCA allegations.
- Companies should include within their data protection and cybersecurity programs the ongoing identification, assessment, and prompt remediation of cybersecurity vulnerabilities.
- Companies should be mindful that claims concerning cybersecurity vulnerabilities may come to corporate IT and information security departments, which may not have experience with, or be particularly adept at, handling whistleblower-style complaints.
- Companies should therefore maintain a comprehensive approach to addressing all potential whistleblower complaints, from traditional areas like the Foreign Corrupt Practices Act or accounting-related issues, to security and data-related risks.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.