Cisco Systems has agreed to pay $8.6 million to settle claims that it sold defective software to U.S. government agencies in what appears to be the first payout in a cybersecurity case initiated by a whistleblower.
The settlement and underlying complaint were unsealed on Wednesday, 10 years after James Glenn, a Danish employee of Cisco partner NetDesign, was fired for reporting that Cisco’s Video Surveillance Manager (VSM) software had critical security flaws.
Cisco will pay Glenn more than $1 million, with the remainder of the settlement going to the federal government and more than 15 state agency buyers of the software to whom the company allegedly misrepresented its safety.
Experts said the payout is the first in a cyber case brought under the False Claims Act and could inspire similar claims over cybersecurity standards.
The settlement “clearly provides an opportunity for entrepreneurial plaintiffs or potential plaintiffs to go around looking for more examples like this,” Georgetown University law professor Gregory Klass told Reuters.
The False Claims Act provides for whistleblowers to be compensated if they bring misconduct by government contractors to light.
“With many contracts including pledges that products meet cyber security standards set by the government, experts have long warned that [whistleblower] claims could expand into that area and punish vendors for the vulnerabilities that are present in many systems,” Reuters noted.
Cisco’s VSM system by customers including the U.S. military, Los Angeles International Airport, the Washington, D.C. police, the New York City public transit system, as well as many schools.
According to Glenn’s complaint, he was working on security issues at NetDesign when he warned Cisco that a hacker who got into one camera that was part of the system could use flaws in the software to get administrative control of the entire network. When Cisco failed to act, he alerted a detective on an FBI terrorism task force.
“There’s this culture that tends to prioritize profit and reputation over doing what’s right,” Glenn said in a statement. “I hope coming forward with my experience causes others in the tech community to think about their ethical mandate.”