Common Sense Is Dead. But the False Claims Act and Cybersecurity Liability Just Got Interesting.”

Caute_cautim — Tue, 12 Aug 2025 05:41:48 GMT

Hi All

Once upon a time, in a world not yet swallowed by legalese, cybersecurity frameworks, and acronyms so dense, they could stop a ransomware attack out of sheer confusion, we had something called Common Sense.

He taught us things like:

Don't touch hot things.
Don't lie.
Lock the damn door.
And perhaps most relevant now: Don’t sell a product that’s defective and tell the buyer it’s bulletproof.

But alas, Common Sense died. According to the London Times, he passed quietly after a prolonged illness, preceded in death by Truth, Trust, and Responsibility. He is survived by his loud, litigious stepchildren:

“I Know My Rights,” “I Want It Now,” “Someone Else Is to Blame,” and “I’m a Victim.”

Today, however, we are not here to mourn. We are here to warn. Because as it turns out, False Claims Act violations now come gift-wrapped in cybersecurity negligence and not just for government contractors anymore.

Case in Point: The Illumina DNA Debacle

The Department of Justice just slapped Illumina, a DNA sequencing giant, with a $9.8 million settlement. Not for a data breach. Not for ransomware. Not even for medical misdiagnosis. But for what?

Selling medical devices to the government while lying about their cybersecurity posture.

According to whistleblowers and prosecutors, Illumina promised it adhered to NIST standards, FDA’s Quality System Regulation (QSR), and all the usual regulatory bedtime stories, but in reality, they left default admin settings, plaintext credentials, and a few invitations to hackers under the digital doormat.

Postmortem:

“We Meant to Patch That.” Buried next to: “The intern had it on his to-do list.”

Imagine selling armored trucks to the government with cardboard floors but signing off that you used titanium. That’s what happened. And theFalse Claims Act doesn’t take kindly to being lied to. Even if no one yet got hurt.

But Here's Where the Plot Thickens:

If you think this only applies to companies selling to Uncle Sam, think again.

Because lying about cybersecurity isn’t just bad for federal contracts, it’s bad business. And it may soon be bad criminal defense strategy if someone gets hurt.

Postmortem:

“The CISO Signed Off.” Turns out the 'CISO' was Carl from Accounting. He's very sorry.

The Legal Risk Spaghetti: FCA + QSR + Product Liability

Let’s untangle it:

False Claims Act (FCA): Lie to the government about the safety or compliance of your product = triple damages + civil penalties. Boom.
Quality System Regulation (21 CFR Part 820): Mandates manufacturers document how their products are safe, secure, and well-managed. (Spoiler: screenshots of "we got it" Slack messages don’t count.)
Product Liability: When someone does get hurt either physically, financially, reputationally, because your product was insecure by design, the tort bar will be there, filing claims faster than you can say “patch management lifecycle.”

Postmortem:

“It Was Only a Marketing Statement.” Cause of death: Discovery subpoena.

Security By Design: Not Just a Platitude

The idea is simple. Make cybersecurity part of your design phase, not just a compliance checklist signed by an intern.

To quote JP Morgan CISO Patrick Optet:

“Secure and resilient by design must go beyond slogans , it requires continuous, demonstrable evidence that controls are working effectively…”

Translation: "Trust us, we’re secure" is dead. Common Sense killed it before he passed. And “Trust, but audit” is the new sheriff in town.

Postmortem:

“We Followed Industry Best Practices.” Which, unfortunately, means “whatever we made up last quarter.”

This Isn't Just a Government Problem. It’s a Boardroom Problem.

Every company that:

Claims SOC2 compliance in a sales pitch,
Embeds a “secure login” icon in a PowerPoint slide,
Certifies HIPAA compliance in a business associate agreement,
Or signs off on a D&O policy with “adequate cyber controls” attestation…

…might be creating false claims or warranty breaches they’ll wish they hadn’t when:

A breach happens,
The class actions come,
The insurance claim gets denied,
And the audit trail leads back to someone in marketing saying, “just put secure on it.” I’ve seen it a million times!

Postmortem:

“Our Insurance Will Cover It.” Gravestone reads: “Claim Denied — Material Misrepresentation.”

What Would Common Sense Say?

Common Sense, if he weren’t six feet under, would whisper:

“If you don’t design it securely, don’t say that you did.” “If your CISO is part-time and reports to IT, get a will.” “Security theater is not a defense strategy.” Because your Lawyer is not an IT Specialist and God Help you if it is an OT event…Pucker up!

And for private-sector executives?

“If you think the FCA won’t apply to you, wait until your biggest client is the VA, a public university hospital, or a federally funded research lab.”

Why are we so certain? Welcome to the Second-Order liabilities of which you probably have no clue what that means. Well, reality didn’t die… and reality says you gotta pay up for this information!

Postmortem:

“The Client Never Asked About That.” Until the breach. Then they asked. In court.

Final Words from the Grave

Common Sense may be gone. But perhaps his ghost lives on in regulatory enforcement.

He tried to warn us with phrases like:

“Don’t sell a lie.”
“Don’t delegate security to chance.”
“Don’t certify what you can’t prove.”

But we were too busy shouting:

“That’s not my job.”
“We have insurance for that.”
“Legal signed off!”
And The Best one…” Blame the Intern”!

Postmortem:

“We Had a Strong Security Culture.” Until the phishing email said, “Free Pizza.”

So, Here’s the Call to Action:

Whether you’re in government procurement, healthcare tech, fintech SaaS, or you're just the guy responsible for that checkbox on your company’s compliance spreadsheet:

A. Bake security into your products.

B. Document everything like your bonus depends on it.

C. Assume your biggest client has a whistleblower with a conscience and a lawyer.

D. And whatever you do, don’t certify something you can’t prove.

Because in the absence of Common Sense, we now have the False Claims Act, the QSR, class action lawyers, and possibly (more than likely) your personal assets on the line.

May Common Sense rest in peace. May your audit trail not end up as Exhibit A.

Coming next week from the graveyard of good intentions:

“The Tragic Tale of Documentation Deferred,” “Gone Too Soon: The Patch That Never Was,” and “We Hired a Consultant (But Never Read the Report).”

For those who want to see the muse of my logic …Read on!

An Obituary printed in the London Times

Today we mourn the passing of a beloved old friend, Common Sense, who has been with us for many years. No one knows for sure how old he was, since his birth records were long ago lost in bureaucratic red tape. He will be remembered as having cultivated such valuable lessons as:

Knowing when to come in out of the rain;
Why the early bird gets the worm;
Life isn't always fair; and
Maybe it was my fault.

Common Sense lived by simple, sound financial policies (don't spend more than you can earn) and reliable strategies (adults, not children, are in charge). His health began to deteriorate rapidly when well-intention ed but overbearing regulations were set in place. Reports of a 6-year-old boy charged with **gender** harassment for kissing a classmate; teens suspended from school for using mouthwash after lunch; and a teacher fired for reprimanding an unruly student, only worsened his condition. Common Sense lost ground when parents attacked teachers for doing the job that they themselves had failed to do in disciplining their unruly children. It declined even further when schools were required to get parental consent to administer sun lotion or an aspirin to a student; but could not inform parents when a student became pregnant and wanted to have an abortion. Common Sense lost the will to live as the churches became businesses; and criminals received better treatment than their victims. Common Sense took a beating when you couldn't defend yourself from a burglar in your own home and the burglar could sue you for assault. Common Sense finally gave up the will to live, after a woman failed to realise that a steaming cup of coffee was hot. She spilled a little in her lap, and was promptly awarded a huge settlement. Common Sense was preceded in death, by his parents, Truth and Trust, by his wife, Discretion, by his daughter, Responsibility, and by his son, Reason. He is survived by his 4 stepbrothers;

I Know My Rights
I Want It Now
Someone Else Is To Blame
I'm A Victim

Not many attended his funeral because, so few realized he was gone. If you still remember him, pass this on. If not, join the majority and do nothing.

Thank you to Gerry Kennedy

https://www.linkedin.com/pulse/common-sense-dead-false-claims-act-cybersecurity-just-gerry-kennedy-35l5e

Regards

Caute_Cautim

Re: Common Sense Is Dead. But the False Claims Act and Cybersecurity Liability Just Got Interesting.

ericgeater — Tue, 12 Aug 2025 14:04:37 GMT

It is quite alarming to know that the Illumina settlement didn't even appear as a byline in my news feed. Thank you for sharing this, sir.

topic Re: Common Sense Is Dead. But the False Claims Act and Cybersecurity Liability Just Got Interesting. in Industry News

Common Sense Is Dead. But the False Claims Act and Cybersecurity Liability Just Got Interesting.”

Re: Common Sense Is Dead. But the False Claims Act and Cybersecurity Liability Just Got Interesting.