Cisco’s Settlement Over Video Surveillance Flap Signifies a New Era in Vendor Accountability

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• After a protracted legal battle that spanned nearly a decade, Cisco settled a lawsuit accepting accountability for a security flaw in a video surveillance system sold to Homeland Security, the Secret Service, and other U.S. government agencies.

• As part of the settlement, the partner’s employee who originally reported the vulnerability will receive $1.5 million.

Eight years after the filing of a lawsuit against Cisco on behalf of U.S. public sector customers and more than a decade after a Cisco contractor initially called attention to a serious security flaw in one of the vendor’s video surveillance solutions, the IT equipment maker reached an $8.6 million settlement with the aggrieved parties and admitted culpability. In a blog posted in late July, Cisco General Counsel Mark Chandler wrote that software developed by Broadware – a company acquired by Cisco – used an open architecture that could be vulnerable to a breach. The settlement amount equates to a partial refund to the U.S. federal government and 16 states that bought products between 2008 and 2013. And the $8.6 million settlement included a $1.6 million payment to the person who first identified the vulnerability, although ultimately, no breach ever occurred.

The vulnerability in the video surveillance solution was originally reported to Cisco in 2008 by James Glenn, who worked for Cisco partner NetDesign in Denmark. Cisco did not respond to his reports of a flaw that could allow hackers to take over surveillance cameras and associated systems. Two years later, Glenn noticed the video surveillance systems in use at Los Angeles International Airport and he reached out to security officials to alert them to the issue. The lawsuit was filed in Western District of New York under the False Claims Act.

While Cisco did issue a best practices guide advising clients to adjust their access controls to eliminate the vulnerability, the company didn’t issue a software update to fix the flaw until 2012. In his blog post, Cisco’s Chandler said that Cisco addressed the issue with the publication of the best practices guide but that more stringent standards to which security-conscious clients are holding IT providers to account require Cisco and its partners to step up their game. He pointed to the settlement as proof Cisco wants to stay ahead of the expectation curve.

This suit by itself certainly doesn’t indicate a major trend in False Claims Act suits. But in the context of a market where security and privacy issues are a top priority, clients demand better, and more immediate, action from their technology suppliers.


What do you think?

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.