The shift to a remote working environment as a result of the coronavirus (COVID-19) pandemic has drawn attention to data security and business continuity risks. With increased demand for technology services comes increased scrutiny, which may include False Claims Act investigations and litigation targeting providers of hardware, software, and other technology products and services to the government.
The False Claims Act (FCA) imposes liability on any person for making false claims or false statements in connection with a claim. 31 USC § 3729(a)(1)(A), (B). A “claim” is any request or demand for money made directly or indirectly to the government. FCA liability requires proof of materiality, meaning that the government would not have paid a claim had it known of the alleged falsehood.
Last year, the US Department of Justice (DOJ) recovered more than $3 billion from settlements and judgments under the federal FCA. While the majority of settlements involved alleged healthcare fraud, a traditional area of focus for prosecutors, some notable recent examples involved the sale of technology or software services:
These examples represent a broader trend in FCA liability that focuses on fraud in connection with the sale of software, hardware, and other tech services to government customers. Of particular concern are claims alleging that technology companies overstated or misrepresented the security or utility of their products to the government.
A recent ruling by the US District Court for the District of Columbia provides a perfect illustration. There, a self-described “expert in computer hardware” conducted an “independent investigation” into computer systems that a computer manufacturer sold to DOD. He discovered a “cybersecurity hardware vulnerability” and filed a qui tam complaint against the company, claiming that it violated the FCA by failing to disclose the vulnerability to the government. Interestingly, the court dismissed the case, ruling that the vulnerability was not material. More specifically, the court explained, applicable technology policies and contract requirements did “not require defect-free products, merely that the agencies limit the vulnerabilities and attempt to remedy them if located.” The court also pointed to the fact that DOJ continued to purchase the products even after DOD learned of the alleged defect as “at least some evidence that” the defect was not material to the government.
The ruling is a positive development for companies facing these claims, but this is a rapidly evolving area and differs from traditional FCA prosecutions in a number of material respects, including quickly evolving technology and changing levels of technical proficiency by prosecutors and courts. And, while early cases have been limited to the technology sector, this focus will likely expand to all government contractors that store confidential or proprietary data, including healthcare and defense companies.
Nonetheless, companies can take a number of steps to mitigate these risks. Specifically, government contractors or suppliers should ensure that, with respect to data and technology, their disclosures to government customers are robust. Although the legal threshold is the same, demonstrating disclosure and government knowledge may be more challenging for topics that are unfamiliar to government customers, prosecutors, and judges alike. Having clear, accurate, thorough, and well-documented disclosures is key. Frequent communication with government customers regarding changes to underlying technologies as well as new risks to data security is not just a sound business practice—it’s a key component of a strong FCA defense. Ensuring that customers understand evolving risks and mitigation is crucial since neither technology nor its vulnerabilities are static. Finally, companies should ensure their representations concerning cybersecurity are not unrealistic in light of rapidly evolving technological risks and advances.
Sharing insights and resources that help our clients prepare for and address evolving issues is a hallmark of Morgan Lewis. To that end, we maintain a resource center with access to tools and perspectives on timely topics driven by current events such as the global public health crisis, economic uncertainty, and geopolitical dynamics. Find resources on how to cope with the globe’s ever-changing business, social, and political landscape at Navigating the NEXT. and Coronavirus COVID-19 to stay up to date on developments as they unfold. Subscribe now if you would like to receive a digest of new updates to these resources.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Douglas W. Baruch
Giovanna M. Cinelli
Scott A. Memmott
Matthew S. Miner
Kenneth J. Nunnenkamp
Amanda B. Robinson
Stephen E. Ruscus
Jennifer M. Wollenberg
Howard J. Young