Sunnyvale, CA-based Fortinet agreed a deal worth $545,000 to settle a whistleblower lawsuit brought by the U.S. government and Yuxin ‘Jay’ Fang. The lawsuit alleged that Fortinet had supplied mislabeled goods manufactured by countries including China, falsely representing the goods were in compliance with the U.S Trade Agreements Act (TAA).
According to the settlement agreement and Department of Justice announcement public on 12 April, Fortinet has acknowledged that between 2009 and 2016 a former employee arranged to have the ‘country of origin’ labels on certain products to be altered so that they appeared to be in compliance with TAA requirements. Some of these products were resold through distributors and resellers to U.S. government end users.
In January 2016, the government and Yuxin ‘Jay’ Fang filed a complaint against Fortinet Inc and Arrow Enterprise Computing Services Inc. The allegation claimed that Yang — the whistleblower, or ‘relator’ within the complaint — had been instructed by his superiors, while employed by Fortinet, to alter labels on products before shipping them to customers.
The complaint alleges, “One of relator’s supervisors, Eddy Yuen, would often instruct Relator’s unit to ‘rework’ incoming shipments and/or to change the serial numbers on products before shipping them back to company headquarters in Sunnyvale, California. For those products whose serial numbers were altered, notices of the change were not included in the return shipment or noted in Fortinet’s internal system.”
The statement provided by the Department of Justice states that the complaint was initially made by Fang, but describes the culpable Fortinet employee as simply the ‘responsible employee’. “Fortinet acknowledged that the Responsible Employee’s actions involved products sold to certain distributors that subsequently sold them to resellers, which in turn sold a portion of them to U.S. government end users. The Responsible Employee has since been terminated from employment with Fortinet.”
The statement nowhere specifies the name of the responsible employee; although it is generally considered that this is more likely to be Fang than Yuen. Fang is certainly no longer employed by Fortinet. The statement does not specify whether the relator turned whistleblower before or after his employment termination.
Fortinet’s statement calls it an isolated incident. “This was an isolated incident that involved events from more than two years ago in which a rogue former employee acted against our policies. When we were made aware of the incident, we took immediate action, including thoroughly investigating the matter, terminating the employee and implementing additional safeguards to prevent an issue like this from happening again.”
The settlement of just over half-a-million dollars is surprisingly low for such a case. According to Fortinet, “The nominal settlement amount of $545,000 reflects in part our cooperation to promptly and thoroughly address this matter.” What still isn’t clear is whether the incident was discovered by Fortinet, Fang was terminated, and the incident reported; or whether the cooperation only commenced after Fang turned whistleblower.
Whatever the sequence, it certainly appears as if Fortinet cooperated fully with the subsequent government investigation. Indeed, Ross Todd at The Recorder, is confident that the arrest of former DOJ lawyer and Akin Gump Strauss Hauer & Feld partner Jeffrey Wertkin in 2017, while attempting to sell a copy of an underseal qui tam complaint (for a ‘consulting fee’ of $310,000), involved both Fortinet and this complaint.
Todd was told by Fang’s lawyers, “On the one hand, Fortinet engaged in a brazen and fraudulent scheme that included creating phony labels, but on the other hand, the company did the right thing when Wertkin offered to sell it sealed government documents. I am certain its cooperation influenced the amount of the final settlement agreement on the mislabeling charges.”
If this is true, it would explain the inclusion of ‘other matters’ in the DoJ’s statement, “The settlement reflects Fortinet’s cooperation with the government in this and other matters.”
The settlement comprises a payment of $400,000, and an agreement to provide the United States Marine Corps with additional equipment valued at $145,000.
Related: Tesla Breach: Malicious Insider Revenge or Whistleblowing?
Related: Pink-haired Whistleblower at Heart of Facebook Scandal
Related: Fortinet Tackles Insider Threats with ZoneFox Acquisition
Related: Fortinet Introduces New Next-Generation Firewalls
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Tags: 
