Why the Security Industry Should Pay Attention to the Cisco Whistleblower Case

Written by

The significance of a whistleblower case against Cisco goes beyond the $8.6 million that the company recently paid the federal government and various states to settle.

What was truly important about the case was that it shows how effective a whistleblower law known as the False Claims Act can be as a way to bring to the government’s attention issues with the security products and services it purchases.

While doing the right thing, whistleblowers are protected against job retaliation and can get substantial rewards under the False Claims Act. In the Cisco case, the whistleblower will receive a reward of up to $1.6 million.

The Cisco case is the first time a whistleblower in the cybersecurity industry has had success with the False Claims Act. However, the security industry can expect to see many more False Claims Act cases in the future given the vast amounts of money government agencies are spending on cybersecurity.

Whistleblowers will turn to the False Claims Act because of the law’s unique power to address problems by offering rewards to whistleblowers to encourage them to step forward and requiring the government to investigate whistleblower allegations. The law also offers whistleblowers protection against job retaliation and the right to seek compensation if it occurs.

The False Claims Act has become the most effective way to stop all kinds of fraud against the government, but it has primarily been Medicare fraud and defense contractor fraud. Originally enacted as “Lincoln’s Law” during the Civil War as a way to stop contractors from cheating the government by selling lame mules and defective goods to the Union Army, the law was modernized by Congress in 1986 to make it a stronger and more effective whistleblower law.

Since then, the federal government has recovered more than $43 billion as a result of whistleblower cases brought under the False Claims Act and has paid whistleblower rewards totaling over $7 billion.

The federal False Claims Act and similar state laws prohibit making false or fraudulent claims for payment from the government. A person who knows that a company is making misrepresentations to the government in connection with government purchases – whether by supplying products that don’t work as represented, hidden overcharges or not complying with important regulations – can file, through an attorney, a whistleblower (“qui tam”) lawsuit to sue a company and recover funds on the government’s behalf.

The qui tam lawsuit is filed “under seal,” so that only the government sees it and knows of its existence while the government is investigating. The government has 60 days to investigate the whistleblower’s allegations and decide whether to join, or “intervene,” in the case.

In reality, government investigations generally take much longer, so the government usually gets court permission to extend the seal for a year or more to continue investigating before making a decision.

If the government decides to intervene, it usually works with whistleblowers and their attorneys to pursue the case. If funds are recovered, the whistleblower is entitled to 15-25% of the amount recovered.

If the government decides not to intervene, whistleblowers may continue to litigate the case on their own. They may receive a larger share of the recovery in those cases: up to 30%.

In the Cisco case, the whistleblower, James Glenn, was a cybersecurity consultant with a Cisco partner in Denmark. He discovered what he believed to be serious vulnerabilities with Cisco’s internet protocol video surveillance product, known as the “Video Surveillance Manager” (VSM), and was concerned that the security of any computer or system connected to the product also was compromised.

He believed that a person with just a moderate knowledge of software and network security could hack into the system and gain access to all video feeds, user passwords and stored data and gain permanent administrator access.

The purchasers of the VSM included the US Department of Homeland Security, all four branches of the US military, Los Angeles International Airport, the Washington, DC, police department and other law enforcement agencies. Shortly after he presented a detailed report about his findings to Cisco and the Danish company, he was fired.

Uncertain how to proceed and still concerned about security vulnerabilities, Glenn learned about the False Claims Act and contacted my law firm. We then filed a “qui tam” (whistleblower) lawsuit under the False Claims Act, alleging that Cisco had defrauded government entities by selling them video surveillance systems that could be easily hacked.

The government investigated the allegations our client made in his whistleblower lawsuit. Cisco ultimately issued a security advisory and released software updates to address the vulnerabilities. (Cisco’s response to the case is posted here.)

For our client, the case was ultimately a success, but each situation is unique. Someone who is thinking about blowing the whistle should talk to an experienced whistleblower attorney who can answer questions based on their circumstances and advise them about their options. A False Claims Act case is a route more whistleblowers are considering.

What’s hot on Infosecurity Magazine?