Cisco to Pay $8.6 Million in Whistleblower Case for Flawed Software

Cisco has agreed to pay $8.6 million to settle a case involving allegations it knowingly sold vulnerable video surveillance software to federal, state and local government agencies.

The settlement resolves claims under the federal False Claims Act and other jurisdictions arising from Cisco’s sale of defective video surveillance software to the federal government, 15 plaintiff states and the District of Columbia.

The case was brought forward by James Glenn, a former contractor who accused Cisco of failing to fix several security flaws and continuing to sell defective video surveillance software to U.S. government agencies for years.

“The tech industry needs to fulfill its professional responsibility to protect the public from their products and services,” Glenn said. “There’s this culture that tends to prioritize profit and reputation over doing what’s right. I hope coming forward with my experience causes others in the tech community to think about their ethical mandate.”

Cisco sent us the following statement: “We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product we added to our portfolio through the Broadware acquisition in 2007. There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.”

Glenn is represented by Constantine Cannon LLP, with Phillips & Cohen LLP as co-counsel and Personius Melber LLP as local counsel.

The False Claims Act permits individuals to report fraud and misconduct in federal government contracts and programs by filing a whistleblower lawsuit on the government’s behalf, and provides for financial rewards to whistleblowers based on recovery by the government. The Federal Acquisition Regulation and other applicable procurement standards require government IT contractors to comply with basic cybersecurity controls, including those by the National Institute of Standards and Technology.

Glenn submitted several detailed reports to Cisco allegedly revealing that anyone with a moderate grasp of network security could exploit this software to gain unauthorized access to stored data, bypass physical security systems and gain administrative access to the entire network of a government agency, all without detection, according to Constantine Cannon. Despite the repeated internal warnings, Cisco allegedly continued to sell the vulnerable software to high-profile infrastructure targets.

“Citizens depend on the tech industry to keep our data secure, and every data breach we read about shakes our confidence,” said Michael Ronickher, a partner at Constantine Cannon’s Washington, D.C., office. “This case is a critical step forward in enforcement of cybersecurity requirements — the first time the government has used a whistleblower’s information to hold a major provider accountable.”