The False Claims Act (FCA), 31 U.S.C. §§ 3729 – 3733, provides liability for any person who knowingly submits false claims to the government . A settlement with Cisco is the first public report of a cybersecurity claim fine under FCA.
This case stemmed from an FCA complaint that alleged that despite knowing of system vulnerabilities in the line of Video Surveillance Manager products had security risks, the devices continued to be marketed and sold to federal government agencies. After the Cisco engineer who had reported the issues was ignored and then fired, he filed the FCA complaint.
Under the terms of the settlement, Cisco must pay $2.6M to the federal government, as much as $6 million to 15 states and DC, and $1.6M in damages to the fired employee.
What does this mean for you?
Cisco’s agreement to settle this matter suggests that cybersecurity-related claims under the FCA are viable. With fast-paced developments in technology and increasing pressure on companies to devise ways to counteract cyberattacks, the technology, security, and cyber industries may well present a growing target for FCA enforcement. In addition, as made clear by the Cisco case, successful enforcement may not depend on proof of an actual cyber breach; rather, the mere possibility of a breach could be sufficient. As compared to the $8 million settlement here, the damages could be higher in a case where a data breach does, in fact, occur.
Companies contracting with the government must remain aware of the federal government’s focus on cybersecurity compliance. This is particularly true for companies contracting with the Department of Defense (“DoD”) under the new Cybersecurity Maturity Model Certification (“CMMC”).
Federal courts have held that even if a federal govt official and a contractor negotiate any of the FAR or DFARS clauses out of a contract the contractor is still subject to them because of these clauses being common to all contracts.
DoD has also stated that it will treat cybersecurity as an allowable cost. As a result, contractors will be hard pressed to find a valid excuse for not maintaining compliant cybersecurity practices.