LawFlash

Uptick in FCA Investigations and Litigation Targeting Tech Services

November 02, 2020

The shift to a remote working environment as a result of the coronavirus (COVID-19) pandemic has drawn attention to data security and business continuity risks. With increased demand for technology services comes increased scrutiny, which may include False Claims Act investigations and litigation targeting providers of hardware, software, and other technology products and services to the government.

The False Claims Act (FCA) imposes liability on any person for making false claims or false statements in connection with a claim. 31 USC § 3729(a)(1)(A), (B). A “claim” is any request or demand for money made directly or indirectly to the government. FCA liability requires proof of materiality, meaning that the government would not have paid a claim had it known of the alleged falsehood.

Last year, the US Department of Justice (DOJ) recovered more than $3 billion from settlements and judgments under the federal FCA. While the majority of settlements involved alleged healthcare fraud, a traditional area of focus for prosecutors, some notable recent examples involved the sale of technology or software services:

  • In February 2019, an electronic medical records provider paid $57.25 million to settle FCA claims alleging that it had misrepresented the capabilities of its electronic health records software to the US Department of Health and Human Services during the procurement process.
  • In July 2019, a prominent hardware and software vendor agreed to pay $8.6 million to settle FCA claims alleging the company sold video surveillance equipment to government agencies with knowledge that the equipment was susceptible to cyberattacks.
  • In June 2020, the US District Court for the Middle District of Pennsylvania unsealed an FCA complaint against a professional consulting firm based on the firm’s alleged overbilling of federally funded IT consulting services to the state government. The relator alleged that the firm had, among other things, overstated the amount of work performed and submitting artificially low bids. After the government declined to intervene, the relator voluntarily dismissed the case.
  • In July 2020, the US District Court for the District of Columbia unsealed an FCA complaint against a technology company based on its provisions of network hardware, software, and support services to the US military. The relator there alleged that the contractor was secretly depriving the US Department of Defense (DOD) of certain value-added services that it had agreed to provide. The government declined to intervene and the relator dismissed the case shortly thereafter.

These examples represent a broader trend in FCA liability that focuses on fraud in connection with the sale of software, hardware, and other tech services to government customers. Of particular concern are claims alleging that technology companies overstated or misrepresented the security or utility of their products to the government.

A recent ruling by the US District Court for the District of Columbia provides a perfect illustration. There, a self-described “expert in computer hardware” conducted an “independent investigation” into computer systems that a computer manufacturer sold to DOD. He discovered a “cybersecurity hardware vulnerability” and filed a qui tam complaint against the company, claiming that it violated the FCA by failing to disclose the vulnerability to the government. Interestingly, the court dismissed the case, ruling that the vulnerability was not material. More specifically, the court explained, applicable technology policies and contract requirements did “not require defect-free products, merely that the agencies limit the vulnerabilities and attempt to remedy them if located.” The court also pointed to the fact that DOJ continued to purchase the products even after DOD learned of the alleged defect as “at least some evidence that” the defect was not material to the government.

The ruling is a positive development for companies facing these claims, but this is a rapidly evolving area and differs from traditional FCA prosecutions in a number of material respects, including quickly evolving technology and changing levels of technical proficiency by prosecutors and courts. And, while early cases have been limited to the technology sector, this focus will likely expand to all government contractors that store confidential or proprietary data, including healthcare and defense companies.

Nonetheless, companies can take a number of steps to mitigate these risks. Specifically, government contractors or suppliers should ensure that, with respect to data and technology, their disclosures to government customers are robust. Although the legal threshold is the same, demonstrating disclosure and government knowledge may be more challenging for topics that are unfamiliar to government customers, prosecutors, and judges alike. Having clear, accurate, thorough, and well-documented disclosures is key. Frequent communication with government customers regarding changes to underlying technologies as well as new risks to data security is not just a sound business practice—it’s a key component of a strong FCA defense. Ensuring that customers understand evolving risks and mitigation is crucial since neither technology nor its vulnerabilities are static. Finally, companies should ensure their representations concerning cybersecurity are not unrealistic in light of rapidly evolving technological risks and advances.

NAVIGATING THE NEXT.

Sharing insights and resources that help our clients prepare for and address evolving issues is a hallmark of Morgan Lewis. To that end, we maintain a resource center with access to tools and perspectives on timely topics driven by current events such as the global public health crisis, economic uncertainty, and geopolitical dynamics. Find resources on how to cope with the globe’s ever-changing business, social, and political landscape at Navigating the NEXT. and Coronavirus COVID-19 to stay up to date on developments as they unfold. Subscribe now if you would like to receive a digest of new updates to these resources.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Chicago
Megan R. Braden
Tinos Diamantatos

Houston
B. Scott McBride
John W. Petrelli

Miami
Alison Tanchyk

New York
Kelly A. Moore
Martha B. Stolley
Daniel B. Tehrani

Philadelphia
Meredith S. Auten
John C. Dodds
Lisa C. Dykstra
Rebecca J. Hillyer
Ryan P. McCarthy
Zane David Memeger
John J. Pease, III
Eric W. Sitarchuk

Washington, DC
Douglas W. Baruch
Giovanna M. Cinelli
Brad Fagg
Scott A. Memmott
Sandra Moser
Kenneth J. Nunnenkamp
Amanda B. Robinson
Jennifer M. Wollenberg
Howard J. Young