Compliance Primer: Cisco’s False Claims Act Settlement Demonstrates Why Compliance is Important to IT Vendors

Posted: September 4, 2019

Recently, Cisco struck a deal with private plaintiffs and various government enforcement bodies to pay $8.6M for falsely certifying to government customers that their software packages did not contain any security flaws when in fact Cisco was made aware of such flaws but chose not to fix the flaws in a timely manner. What is interesting about this case is that this was prosecuted under the False Claims Act.

The False Claims Act is not a new law – it’s actually been around since the Civil War; however, its application has been more predominant in the healthcare space in terms of Medicare payments in relation to the provision non-compliant medical services. Cisco’s settlement is one of the first instances this law has been applied to IT companies.

In general, the False Claims Act prohibits anyone from knowingly making a false statement or claim in connection with a payment from the federal government.[1]The penalty for violating this law is a civil penalty between $5,000 – $10,000, plus 3X the amount of damages which the government sustains for each violation. Since each violation carries this penalty, settlements can reach into the hundreds of millions of dollars. For example, the Agility Public Warehousing Company paid $1.5 billion to resolve claims that the company promoted an off-label use of a drug that they produced. Bank of America and Countrywide Financial agreed to pay nearly $1 billion in fines as a result of its illegal banking practices. In 2000, the mega-hospital corporation HCA agree to pay $731M for its unlawful billing practices.[2]

While the civil penalties can be prohibitive, the real kicker with the False Claims Act is that violators can face criminal prosecution, with many executives in the healthcare industry having been sent to prison for such violations. For example, Riverside General Hospital’s former president was sentenced to 45 years in federal prison for committing fraud on the Medicare program.[3]

The False Claims Act is one example of companies today having to grapple with a diverse array of compliance regulations. Additionally, the penalties for violating these regulations are becoming more severe. The easiest and best way to comply with these regulations is to have an active and ongoing compliance program. Numerous government agencies have issued guidance as to what constitutes an effective compliance program. Such programs have the following elements:

  1. Chief Compliance Officer;
  2. Policies and Procedures;
  3. Anonymous reporting of compliance violations;
  4. Employee training and education on compliance requirements;
  5. Internal monitoring and auditing of compliance processes, as well as an enterprise-wide annual risk assessment (at a minimum);
  6. Management’s response to compliance complaints/found deficiencies; and
  7. Sanctions for violating policies and procedures.

In the next article in this series, we will examine some best practices with each of these elements.

[1]Many states have laws similar to the federal False Claims Act.

[2]Top False Claims Act Cases by Civil Award Amount, Taxpayers Against Fraud (last accessed August 9, 2019, <>.

[3]False Claims Act: Increased Prosecutions and Higher Sentences, National Law Review (June 23, 2015) (last accessed August 9, 2019), <>.

Daniel Kiehl

Author: Daniel Kiehl

Dan Kiehl obtained his Juris Doctor degree from Valparaiso Law School in 2012, and practiced law for three years before transitioning to a compliance-based consulting role allowing him to help a wide variety of healthcare organizations remain compliant with multiple healthcare laws and standards. In addition, he has been instrumental in helping his clients streamline their operations to maximize reimbursement potential with federal and third-party payors.

Dan also has experience auditing various organizations to ensure they remain complaint with both domestic and international marketing laws. In his current role as a CompliancePoint Policy Analyst, he consults with a wide variety of organizations to ensure their privacy and information security policies are compliant with the various regulatory and third-party frameworks (e.g., GDPR, HIPAA, HITRUST, PIC, SOC 2, NIST and ISO).

When not consulting, he provides information security policy insights at I’ve also authored the following published articles:
• “The Uncertainty of the Implied Certification Theory.” Compliance Today (March 2017).
• Co-authored with Sandra Champion. “Guidelines and Strategies for Navigating Stark’s Physician Recruitment Exception.” Coker Group (November 2016).
• “Remaining Stark-Compliant with the ‘Practice Losses’ and Ancillary Services.” Coker Group (November 2016).
• “Completely Unreasonable: ‘Practice Losses’ as a Basis for Stark Violations in the Era of Value-Based Reimbursement.” Journal of Health Care Finance (Sept. 2016).

Dan has received the JD (Juris Doctor) and LLM (Masters in Health Law) law degrees, as well as attained CHC (Certified in Health Care Compliance), CIPP/US (US-based privacy), and the CECP (Customer Engagement Compliance Professional) certifications.

He is also a veteran of the Iraq war.

Comments are closed.

Reduce risk, maintain a compliant posture, and protect info