In addition to all of the other risks, liabilities and exposures arising from cybersecurity concerns, you can now add the possibility of a whistleblower action for cybersecurity fraud. According to a July 31, 2019 press release from counsel for the whistleblower involved (here), Cisco Systems has agreed to an $8.6 million settlement in what the press release claims is the “first cybersecurity whistleblower case ever successfully litigated under the False Claims Act.” Cisco has agreed to pay the amount to settle allegations that the company knowingly sold vulnerable and defective video surveillance software to federal, state, and local government agencies, exposing the systems to unauthorized access. As discussed below, this development even further expands the range of concerns companies must take into account when assessing their cybersecurity exposures. An August 12, 2019 memo from the Jones Day law firm about the settlement and its implications can be found here.
Beginning in 2008, an individual working for a Cisco distribution in partner in Denmark discovered and reported to Cisco that the company’s bundled video surveillance system could be easily exploited. The individual claimed that the vulnerability could allow unauthorized access to stored data, allow intruders to bypass physical security systems, and even allow access to the government agency’s administrative system.
In his subsequent False Claims Act complaint, the whistleblower claims that after alerting Cisco to the supposed vulnerabilities, Cisco continued to sell the software. The whistleblower then claims he reported the vulnerabilities to the FBI. Cisco reportedly released an updated version of the software in 2013 and released a security advisory video in 2015. There were no reports that the vulnerabilities had actually been exploited by hackers.
According to the Jones Day law firm’s memo, the vulnerabilities made the software noncompliant with the federal government’s National Institute of Standards in Technology (“NIST”) framework. The alleged noncompliance with the NIST framework formed a basis of the subsequent False Claims Act claim, as Cisco allegedly had claimed that its systems were NIST compliant.
The whistleblower’s complaint asserted claims under the False Claims Acts of the United States and of other jurisdictions arising from Cisco’s sale of defective video surveillance software to the federal government, 15 plaintiff states, and the District of Columbia. According to the Jones Day law firm’s memo, of the $8.6 million that Cisco agreed to pay, $1.6 million will go to the whistleblower.
As cybersecurity issues have continued to develop, we have seen that data breaches and other cybersecurity incidents can affect a company’s credit rating, and even lead to bankruptcy. We have seen lawsuits filed alleging misrepresentations in connection with the state of a company’s cybersecurity protections, and we have even seen lawsuits about alleged misrepresentations about a company’s recovery from a cybersecurity incident. You can now add to this list of cybersecurity vulnerabilities and exposures the risk of a whistleblower claim for cybersecurity fraud, alleging that a company has misrepresented the state of its products’ cybersecurity readiness and compliance.
Many companies are providing products and services in connection with which the companies must provide assurance about their products or services’ cyber readiness. Obviously, it could be harmful to companies’ business reputation and prospects if its products or services do not actually have the state of cyber readiness that the company has asserted. In that event, the company could be susceptible to cybersecurity fraud allegations. As this case shows, those types of allegations could come from a whistleblower.
One feature of this claim that is particularly troublesome is that the whistleblower was a not a Cisco Systems employee; he was an employee of a third-party vendor. Company employees can of course be encourage to report on vulnerabilities and other concerns; individuals associated with outside entities may have less incentive to report within the concerned company. To be sure, the whistleblower in this situation did report his concerns at first to Cisco, and later claimed that despite his warnings the company continued to sell an allegedly defective and vulnerable product.
There are a number of lessons for other companies from this situation.
First, as with this kind of whistleblower report as with respect to all whistleblower reports, companies should take what the Jones Day law firm describes as a “comprehensive approach to addressing all potential whistleblower complaints,” ensuring that warnings and concerns are investigated appropriately and elevated as necessary.
Second, within companies’ date protection and cybersecurity programs, the company should emphasize the ongoing identification, assessment, and remediation of cybersecurity vulnerabilities, and include within that process the consideration and assessment of all cybersecurity vulnerability warnings and concerns reported from those inside and outside the company.
Third, companies need to be aware of and vigilant about the possibility of these kinds of whistleblower claims and take these possibilities into account when assessing the full range of their cybersecurity risks, exposures, and potential liabilities.