Cisco Systems, Inc. has settled a qui tam action brought under the federal False Claims Act, 31 U.S.C. § 3729 for $8.6 million, with James Glenn, a former employee. As a qui tam action, Glenn is entitled to receive 20% of the recovery he furthered on behalf of the government.
Glenn found the original insecurity in the Cisco video surveillance system in 2008, when he reported it to his employer, a Cisco reseller in Denmark. Instead of being recognized with a bug bounty, he was instead fired.
The Associated Press reports that the software was “used at major U.S. international airports and multiple federal agencies with sensitive missions.” Glenn filed the lawsuit in 2011, but it took Cisco another two years to take steps to resolve the software failure.
In a statement published on July 31st, Cisco’s Mark Chandler writes “in short, what seemed reasonable at one point no longer meets the needs of our stakeholders today.” It is inconceivable that the nature of this software failure was anything other than a structural failure to secure the software used in critical infrastructure facilities.
Cisco’s statement that “the total sales at issue were well under one one-hundredth of one percent of Cisco’s total sales, and our total payment was $8.6 million” strongly suggests the need for a much higher disgorgement regime when companies show such callous disregard of public safety.
While the action serves as a long-awaited repayment to Mr. Glenn for his ongoing efforts, it also highlights the failure to manage greed and arrogance.
As Chandler concludes, “it matters to us to recognize that times and expectations have changed.” They have, but not for the better.