Whistleblower programs that previously focused on traditional concerns such as accounting and FCPA issues should now consider expanding to incorporate company IT and information security teams and account for data protection and cybersecurity-related whistleblower complaints.
On July 31, 2019, Cisco Systems agreed to pay $8.6 million in civil damages—including approximately $1.6 million to a whistleblower—to resolve claims that it sold video surveillance software that had significant security vulnerabilities to local, state, and federal governments. The settlement is the first payout on a False Claims Act ("FCA") case brought over cybersecurity vulnerabilities.
According to the complaint, a subcontractor for Cisco in Denmark alerted the company to the vulnerabilities in November 2008. When the subcontractor discovered in June 2010 that Cisco had not addressed the vulnerabilities, he notified the FBI. Cisco acknowledged the vulnerabilities and released an updated version of the software in July 2013, stopped sales of the software in September 2014, and released a security advisory to entities using the software in 2015. While there were no allegations that the vulnerabilities have been exploited by hackers, they reportedly could have been used to gain administrative access to the video surveillance software and compromise the physical cameras themselves. The vulnerabilities made the software noncompliant with the federal government's National Institute of Standards in Technology ("NIST") framework. Accordingly, Cisco's representations that its products were NIST-compliant formed the basis for the FCA allegations.
- Companies should include within their data protection and cybersecurity programs the ongoing identification, assessment, and prompt remediation of cybersecurity vulnerabilities.
- Companies should be mindful that claims concerning cybersecurity vulnerabilities may come to corporate IT and information security departments, which may not have experience with, or be particularly adept at, handling whistleblower-style complaints.
- Companies should therefore maintain a comprehensive approach to addressing all potential whistleblower complaints, from traditional areas like the Foreign Corrupt Practices Act or accounting-related issues, to security and data-related risks.