The shift to a remote working environment as a result of the coronavirus (COVID-19) pandemic has drawn attention to data security and business continuity risks. With increased demand for technology services comes increased scrutiny, which may include False Claims Act investigations and litigation targeting providers of hardware, software, and other technology products and services to the government.

The False Claims Act (FCA) imposes liability on any person for making false claims or false statements in connection with a claim. 31 USC § 3729(a)(1)(A), (B). A “claim” is any request or demand for money made directly or indirectly to the government. FCA liability requires proof of materiality, meaning that the government would not have paid a claim had it known of the alleged falsehood.

Last year, the US Department of Justice (DOJ) recovered more than $3 billion from settlements and judgments under the federal FCA. While the majority of settlements involved alleged healthcare fraud, a traditional area of focus for prosecutors, some notable recent examples involved the sale of technology or software services:

• In February 2019, an electronic medical records provider paid $57.25 million to settle FCA claims alleging that it had misrepresented the capabilities of its electronic health records software to the US Department of Health and Human Services during the procurement process.
• In July 2019, a prominent hardware and software vendor agreed to pay $8.6 million to settle FCA claims alleging the company sold video surveillance equipment to government agencies with knowledge that the equipment was susceptible to cyberattacks.
• In June 2020, the US District Court for the Middle District of Pennsylvania unsealed an FCA complaint against a professional consulting firm based on the firm’s alleged overbilling of federally funded IT consulting services to the state government. The relator alleged that the firm had, among other things, overstated the amount of work performed and submitting artificially low bids. After the government declined to intervene, the relator voluntarily dismissed the case.
• In July 2020, the US District Court for the District of Columbia unsealed an FCA complaint against a technology company based on its provisions of network hardware, software, and support services to the US military. The relator there alleged that the contractor was secretly depriving the US Department of Defense (DOD) of certain value-added services that it had agreed to provide. The government declined to intervene and the relator dismissed the case shortly thereafter.

These examples represent a broader trend in FCA liability that focuses on fraud in connection with the sale of software, hardware, and other tech services to government customers. Of particular concern are claims alleging that technology companies overstated or misrepresented the security or utility of their products to the government.

A recent ruling by the US District Court for the District of Columbia provides a perfect illustration. There, a self-described “expert in computer hardware” conducted an “independent investigation” into computer systems that a computer manufacturer sold to DOD. He discovered a “cybersecurity hardware vulnerability” and filed a qui tam complaint against the company, claiming that it violated the FCA by failing to disclose the vulnerability to the government. Interestingly, the court dismissed the case, ruling that the vulnerability was not material. More specifically, the court explained, applicable technology policies and contract requirements did “not require defect-free products, merely that the agencies limit the vulnerabilities and attempt to remedy them if located.” The court also pointed to the fact that DOJ continued to purchase the products even after DOD learned of the alleged defect as “at least some evidence that” the defect was not material to the government.

The ruling is a positive development for companies facing these claims, but this is a rapidly evolving area and differs from traditional FCA prosecutions in a number of material respects, including quickly evolving technology and changing levels of technical proficiency by prosecutors and courts. And, while early cases have been limited to the technology sector, this focus will likely expand to all government contractors that store confidential or proprietary data, including healthcare and defense companies.

Nonetheless, companies can take a number of steps to mitigate these risks. Specifically, government contractors or suppliers should ensure that, with respect to data and technology, their disclosures to government customers are robust. Although the legal threshold is the same, demonstrating disclosure and government knowledge may be more challenging for topics that are unfamiliar to government customers, prosecutors, and judges alike. Having clear, accurate, thorough, and well-documented disclosures is key. Frequent communication with government customers regarding changes to underlying technologies as well as new risks to data security is not just a sound business practice—it’s a key component of a strong FCA defense. Ensuring that customers understand evolving risks and mitigation is crucial since neither technology nor its vulnerabilities are static. Finally, companies should ensure their representations concerning cybersecurity are not unrealistic in light of rapidly evolving technological risks and advances.

[View source.]