Fortinet To Pay $545K To Settle Claim That Ex-Employee Defrauded Feds

For more than seven years, a now-terminated Fortinet employee directed employees and contractors to alter certain product labels to obscure the country of origin, according to a settlement agreement.

Fortinet has agreed to a $545,000 settlement after acknowledging that a former employee had product labels changed to make the items appear compliant with Federal procurement law.

The agreement between the Sunnyvale, Calif. based cybersecurity vendor and the U.S. government - which was announced Friday night- stated that, between January 2009 and fall 2016, a now-terminated Fortinet employee responsible for supply chain management directed certain employees and contractors to alter product labels so that no country of origin is listed, or to include the phrases "Designed in the United States and Canada," or "Assembled in the United States."

A portion of the products with changed labels were resold through distributors and subsequent resellers to U.S. government end users, the settlement stated. The label alternation meant all the items appeared to be compliant with the Trade Agreements Act (TAA), which mandates that products on government contracts be manufactured or "substantially transformed" in the U.S. or another designated country.

[Related: 5 Boldest Statements From CEO Ken Xie At Fortinet Accelerate 19]

The agreement settled a January 2016 lawsuit against Fortinet by Yuxin "Jay" Fang, who said in the compliant that he formerly worked as a logistics specialist in Fortinet's Vancouver, Canada offices. Fang accused Fortinet of certifying that all its products were manufactured in TAA designated countries, when in fact some were made in non-designated countries, including Taiwan (prior to August 2009) and China.

“Contractors that supply the U.S. Government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,” Bryan Denny, Defense Criminal Investigative Services (DCIS) special agent in charge, said in a press release from the U.S. Attorney's Office. “The DCIS and its law enforcement partners are committed to combatting procurement fraud and cyber risk within U.S. Department of Defense programs.”

Even though Fortinet believes some of the products at issue may have actually been compliant with the TAA, the employee's actions were nonetheless in clear violation of established company policy, according to the settlement filing.

To settle the allegations, Fortinet has agreed to pay $400,000 and provide the United States Marine Corps with additional equipment valued at $145,000.

A Fortinet spokesperson said the "nominal" settlement amount of $545,000 reflects in part the company's cooperation to promptly and thoroughly address the matter.

"This was an isolated incident that involved events from more than two years ago in which a rogue former employee acted against our policies," the Fortinet spokesperson said. "When we were made aware of the incident, we took immediate action, including thoroughly investigating the matter, terminating the employee and implementing additional safeguards to prevent an issue like this from happening again."

Upon learning of the responsible employee's unauthorized actions, Fortinet promptly placed him on a leave of absence while conducting an internal investigation with the assistance of outside counsel, the settlement stated. The company cooperated with the government's investigation and shared the results of its internal investigation into the matter, according to a press release from the U.S. Attorney's Office.

Once the investigation was concluded, Fortinet terminated the employment of the responsible worker, according to the settlement.

Under the False Claims Act - which imposes liability on people and companies who defraud governmental programs - private citizens like Fang can bring suit on or behalf of the government and share in any recovery. The False Claims Act also permits the United States to intervene in and take over a whistleblower suit, which was done here, according to the U.S. Attorney's Office press release.

"Contractors who undermine American trade interest and pose a security risk by selling unauthorized foreign-made devices to the United States will be held accountable," Amanda Thandi, special agent in charge for the Department of Homeland Security's Office of the Inspector General, said in the press release.

Fang also named Arrow Enterprise Computing Solutions as a defendant in his 2016 complaint, accusing the Centennial, Colo.-based distributor of violating its Trade Agreements Act compliance certifications when it sold Fortinet products to the U.S. government that didn’t originate in TAA designated countries.

The Fortinet settlement filing indicates that the United States won't intervene in the portion of the lawsuit related to Arrow, but will allow Fang to maintain the action in the name of the United States. Arrow didn't immediately respond to a request for comment.