Recent Settlement Demonstrates That Cybersecurity Vulnerability May Create False Claims Acts Exposure
The federal False Claims Act (FCA) prohibits the knowing submission of a false or fraudulent claim to the federal government. Many states have their own version of the FCA, prohibiting the same conduct in relation to state programs. Although the FCA is often associated with healthcare fraud, it applies across all sectors to any company that transacts business with the federal government. Theories of FCA liability continue to evolve to encompass new areas and factual premises where fraud may occur, often due to new technologies, the number and variety of industries doing business with the government, and creative whistleblowers and whistleblower lawyers.
A recent $8.6 million settlement related to uncured technological vulnerabilities shows that cybersecurity is a new arena where FCA liability may arise. The case is United States ex rel. Glenn v. Cisco Systems Inc., and was filed in the Western District of New York.
Mr. Glenn, a whistleblower, filed a lawsuit under the FCA’s qui tam provisions alleging that Cisco violated the FCA by selling the federal and various state governments technology laden with security flaws and defects. Mr. Glenn alleged that the defects were so significant that it rendered the technology worthless to the government, as it did not meet the primary purpose for which it was purchased. Mr. Glenn also alleged that the technology did not comply with government-imposed security standards.
Cisco’s contracts with the government required Cisco to repair or replace flawed equipment. Mr. Glenn alleged that Cisco’s failure to repair the faulty technology amounted to knowingly avoiding an obligation to pay money or transfer property to the government, in and of itself an FCA violation. Interestingly, Mr. Glenn’s suit was not premised on a cyberbreach or hacking incident; rather, his claim involved the provision of worthless services and the failure to correct known flaws.
The Cisco settlement demonstrates that theories of FCA liability continue to grow and expand to new areas and industries. Companies offering services and products must ensure they comply with any remedial provisions contained in a contract with the government. As seen in the Cisco matter, failure to correct a known defective product or service may create a viable FCA claim.