On July 31, 2019, Cisco Systems agreed to pay $8.6 million to settle allegations in United States ex rel Glenn, et al v. Cisco Systems, Inc. that the company violated the False Claims Act (FCA) by selling video surveillance systems to state and federal agencies that contained software flaws enabling those agencies to be hacked. An employee of one of Cisco’s resellers filed the suit in 2011 after discovering the alleged security weakness that could permit a cyber intruder to obtain administrative access to the software that managed video feeds.
The cybersecurity specialist alleged in his complaint that the company violated the FCA by (1) failing to inform government agencies that the software did not comply with the standards imposed by the Federal Information Security Management Act (FISMA) and (2) by providing a product that was worthless due to the security flaws in the software. Although this settlement marks the first time that a cybersecurity related qui tam has ended in a recovery through a settlement or judgment, it appears to be a sign of the times. As more such cases—alleging noncompliance with the DFARS Safeguarding Rule or FedRAMP requirements— are investigated and proceed through the courts, Glenn could be the first of many such recoveries.