Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Fortinet Settles Whistleblower Case for $545,000

Sunnyvale, CA-based Fortinet agreed a deal worth $545,000 to settle a whistleblower lawsuit brought by the U.S. government and Yuxin ‘Jay’ Fang. The lawsuit alleged that Fortinet had supplied mislabeled goods manufactured by countries including China, falsely representing the goods were in compliance with the U.S Trade Agreements Act (TAA).

Sunnyvale, CA-based Fortinet agreed a deal worth $545,000 to settle a whistleblower lawsuit brought by the U.S. government and Yuxin ‘Jay’ Fang. The lawsuit alleged that Fortinet had supplied mislabeled goods manufactured by countries including China, falsely representing the goods were in compliance with the U.S Trade Agreements Act (TAA).

According to the settlement agreement and Department of Justice announcement public on 12 April, Fortinet has acknowledged that between 2009 and 2016 a former employee arranged to have the ‘country of origin’ labels on certain products to be altered so that they appeared to be in compliance with TAA requirements. Some of these products were resold through distributors and resellers to U.S. government end users.

In January 2016, the government and Yuxin ‘Jay’ Fang filed a complaint against Fortinet Inc and Arrow Enterprise Computing Services Inc. The allegation claimed that Yang — the whistleblower, or ‘relator’ within the complaint — had been instructed by his superiors, while employed by Fortinet, to alter labels on products before shipping them to customers.

The complaint alleges, “One of relator’s supervisors, Eddy Yuen, would often instruct Relator’s unit to ‘rework’ incoming shipments and/or to change the serial numbers on products before shipping them back to company headquarters in Sunnyvale, California. For those products whose serial numbers were altered, notices of the change were not included in the return shipment or noted in Fortinet’s internal system.”

The statement provided by the Department of Justice states that the complaint was initially made by Fang, but describes the culpable Fortinet employee as simply the ‘responsible employee’. “Fortinet acknowledged that the Responsible Employee’s actions involved products sold to certain distributors that subsequently sold them to resellers, which in turn sold a portion of them to U.S. government end users. The Responsible Employee has since been terminated from employment with Fortinet.”

The statement nowhere specifies the name of the responsible employee; although it is generally considered that this is more likely to be Fang than Yuen. Fang is certainly no longer employed by Fortinet. The statement does not specify whether the relator turned whistleblower before or after his employment termination.

Fortinet’s statement calls it an isolated incident. “This was an isolated incident that involved events from more than two years ago in which a rogue former employee acted against our policies. When we were made aware of the incident, we took immediate action, including thoroughly investigating the matter, terminating the employee and implementing additional safeguards to prevent an issue like this from happening again.”

The settlement of just over half-a-million dollars is surprisingly low for such a case. According to Fortinet, “The nominal settlement amount of $545,000 reflects in part our cooperation to promptly and thoroughly address this matter.” What still isn’t clear is whether the incident was discovered by Fortinet, Fang was terminated, and the incident reported; or whether the cooperation only commenced after Fang turned whistleblower.

Advertisement. Scroll to continue reading.

Whatever the sequence, it certainly appears as if Fortinet cooperated fully with the subsequent government investigation. Indeed, Ross Todd at The Recorder, is confident that the arrest of former DOJ lawyer and Akin Gump Strauss Hauer & Feld partner Jeffrey Wertkin in 2017, while attempting to sell a copy of an underseal qui tam complaint (for a ‘consulting fee’ of $310,000), involved both Fortinet and this complaint.

Todd was told by Fang’s lawyers, “On the one hand, Fortinet engaged in a brazen and fraudulent scheme that included creating phony labels, but on the other hand, the company did the right thing when Wertkin offered to sell it sealed government documents. I am certain its cooperation influenced the amount of the final settlement agreement on the mislabeling charges.”

If this is true, it would explain the inclusion of ‘other matters’ in the DoJ’s statement, “The settlement reflects Fortinet’s cooperation with the government in this and other matters.”

The settlement comprises a payment of $400,000, and an agreement to provide the United States Marine Corps with additional equipment valued at $145,000.

Related: Tesla Breach: Malicious Insider Revenge or Whistleblowing? 

Related: Pink-haired Whistleblower at Heart of Facebook Scandal 

Related: Fortinet Tackles Insider Threats with ZoneFox Acquisition 

Related: Fortinet Introduces New Next-Generation Firewalls 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.