On July 31, 2019, a False Claims Act matter pending in the United States District Court for the Western District of New York was unsealed, revealing an $8.6 million settlement that may have far-reaching implications for government contractors. The litigation, United States, et al., ex rel. James Glenn v. Cisco Systems, Inc., was initiated in 2011 on behalf of the federal government and a number of state governments, after a Denmark-based employee of a Cisco affiliate was terminated allegedly for reporting a flaw in one of Cisco’s video surveillance products. With the rapidly developing role of cybersecurity in federal procurements, government contractors should clearly understand their obligations, representations, and certifications to avoid False Claims Act liability and ensure compliance.
According to the unsealed complaint, in 2007, Cisco created an IP video surveillance product, Cisco Video Surveillance Manager (“VSM”). The system allows customers to connect and manage multiple video surveillance cameras through a single centralized server, which can be accessed remotely. This means that the system could connect multiple camera systems located around the country and store data and allocate video streams from one (or a small number) of principle locations. A system such as this was particularly attractive to federal government agencies and multi-facility organizations, which often have many physical offices or worksites around the country that must be monitored on an ongoing basis. For example, Cisco’s VSM was used by all four branches of the U.S. Military, at many schools, at the Los Angeles International Airport, and by the Metropolitan Police Department in Washington, D.C. and the New York City public transmit system, among others.
In October 2008, James Glenn was a computer security expert, working for one of Cisco’s Danish distributors, when he discovered and reported alleged flaws in the Cisco VSM system that, according to the complaint, would allow a person with only a “moderate knowledge of software/network security” and the software program to “exploit the system in a number of ways, including: gaining access to all video feeds, . . . all user passwords, [and] . . . all stored data on the system, modifying or deleting video feeds, and gaining permanent ‘administrator’ (i.e., highest-level) access to the system (which would enable future abuse to go completely undetected).” Glenn contended that these flaws would not only render the product worthless (and likely harmful) to customers, risking exposure of their critical security data, but it would “violate the mandatory technical requirements imposed on any computer system sold to the Government . . . .”
The complaint further alleges that, rather than Cisco taking action to correct the vulnerabilities with the software in response to Glenn’s report, Glenn was terminated by the Danish distributor. Indeed, Cisco continued to sell the product, without repair or correction and without notice to customers of the system’s vulnerabilities, until it issued a security alert in 2013, along with a solution to solve the security flaws. By then, Glenn had already filed his False Claims Act case and the FBI was already investigating. Critically, Cisco, in billing the government for the purchase of the Cisco VSM, was required to represent that its surveillance products were compliant with the federal government’s National Institute of Standards in Technology (“NIST”), which sets minimum security standards required to technology companies who do business with the government. Because, based on Glenn’s report, Cisco knew that the Cisco VSM did not meet these standards, it may have presented repeated false claims to the government over a five year period, subjecting it to potential False Claims Act liability.
The settlement appears to be the first time there has been a payout, either through a judgment or settlement, in a False Claims Act case brought due to a party’s failure to meet cybersecurity standards. But, it is undoubtedly not the last. Given the favorable outcome in the Cisco case, and the substantial monetary benefits available to successful whistleblowers in False Claims Act matters—Glenn will receive approximately $1.72 million for blowing the whistle on Cisco—we expect many more cybersecurity False Claims Act complaints to be filed in the coming years. Therefore, it is critical that government contractors have a clear understanding of their obligations, representations, and certifications with regard to cybersecurity requirements on federal contracts.
To assist government contractors and related companies in understanding the False Claims Act and how to avoid False Claims Act liability, PilieroMazza has launched “Ex Rel. Radio,” a multi-part series of our GovCon Live! podcast, which will include commentary on potential pitfalls for your company, enforcement issues, and emerging trends. The first episode of Ex Rel. Radio: “Cybersecurity, Implied Certifications, and the False Claims Act,” is available on Apple Podcasts, Spotify, Google Podcasts, TuneIn, Stitcher, or visit our website.
Matthew Feinberg, the author of this blog, is a member of the Firm’s False Claims Act, Litigation, Government Contracts, Labor & Employment, Business & Transactions, and Native American Law practice groups.
