The decision in United States ex rel. Morsell v. NortonLifeLock Inc., No. 1:12-cv-00800 (D.D.C. Jan. 19, 2023), is a striking reminder of the strategic importance of pushing plaintiffs to prove FCA damages with reasonable certainty.

The decision in United States ex rel. Morsell v. NortonLifeLock Inc., No. 1:12-cv-00800 (D.D.C. Jan. 19, 2023), is a striking reminder of the strategic importance of pushing plaintiffs to prove FCA damages with reasonable certainty. After a bench trial of the qui tam allegations, the court ruled that NortonLifeLock (f/k/a Symantec Corporation (Symantec)) violated state and federal False Claims Acts (FCA) but awarded only $1.3 million in civil damages and statutory penalties to the United States and about $380,000 to California—a mere fraction of the $280 million in FCA damages sought by the United States. The opinion stated that the government proved liability but failed to meet its burden of proving the majority of its claimed damages.

Background

The General Services Administration (GSA) and Symantec, later renamed NortonLifeLock, entered into a Multiple Award Schedule (MAS) contract in January 2007. In May 2012, a Symantec employee, Lori Morsell, filed a qui tam action alleging that the company violated the FCA and analogous state laws. Morsell alleged that Symantec failed to provide accurate and complete information regarding the discounts and rebates offered to commercial customers, causing the GSA to pay higher prices under the MAS contract.

The case involved NortonLifeLock’s alleged misrepresentation of its best commercial prices both during contract negotiations and throughout the life of its contract with the GSA under the MAS Program. Under the MAS Program, offerors must accurately disclose their Commercial Sales Practices (CSP), including all sales and discounting practices.[1] All MAS contracts contain three standard clauses—the Price Adjustment Clause, the Modifications Clause, and the Price Reduction Clause (PRC)—that are designed to safeguard the government’s advantageous pricing.[2]

The United States intervened in the case, joined later by the states of California and Florida. Morsell elected to assert claims on behalf of New York State. Prior to trial, Symantec reached an agreement with Florida, resulting in a stipulated dismissal with prejudice of Florida’s claims. Morsell on behalf of New York reached a stipulated settlement with Norton, and she voluntarily dismissed her claims at the start of the bench trial.

The District Court Decision

The court’s sprawling 186-page opinion provides a detailed account of why the court issued its verdict holding that Symantec violated the FCA. The court stated that the government proved the following:

  • Symantec knowingly submitted materially false CSP disclosures, which fraudulently induced the GSA to enter into the MAS contract.
  • Symantec impliedly certified compliance with PRC and CSP requirements when submitting claims.
  • Symantec recklessly disregarded its obligations to ensure compliance with the MAS Program, and so made knowing, materially false statements through subsequent modifications reaffirming the materially false initial CSP.
  • Symantec “failed to offer the price reductions to which GSA was entitled during the life of the contract.”

Despite finding Symantec liable, the court was unable to determine treble damages on these claims. First, the court found that NortonLifeLock violated the FCA through fraudulent misrepresentations during initial negotiations and by reaffirming these initial misrepresentations throughout the life of the contract. The court recognized that the GSA would have insisted on more-favorable discounts had Symantec not misled it during negotiations. Additionally, the court recognized that the GSA would have renegotiated a more advantageous discount had Symantec “come clean” during the life of the contract.

Yet the court was unable to determine treble damages because the government’s expert calculated damages based on the alleged PRC violations, asserting that the price reductions the GSA should have received during the life of the contract represented the discount the GSA would have negotiated had it received accurate and complete information from Symantec. Thus, the court could not “discern a proximate causation between Symantec’s wrongful conduct . . . and the United States’ claimed damages.” The court stated that “[a]lthough it is more likely than not that GSA would have insisted on a more advantageous discount had Symantec not made the misleading representations during negotiations, there is simply no evidence of how much more advantageous the GSA discounts would have been.” The “United States . . . made the strategic choice to tie its damages calculations to PRC violations, leaving no way for the court to disentangle the two,” and consequently, the court could not determine with reasonable certainty how much the GSA would have paid had Symantec provided complete and accurate information.

The court was not satisfied with the government’s expert’s calculations. Specifically, the government’s expert prepared two datasets containing transactions that allegedly violated the PRC, but the court found that the government’s expert failed to reasonably show that the suspect transactions constituted PRC violations. The datasets were overinclusive. Moreover, the government’s expert failed to account for order-level discounts, which inflated the average should-have-paid discounts. Taken together, the court was unable to disentangle whatever actual damages the GSA sustained based on the proof provided by the expert.

The court acknowledged the “tension in its determination that the United States has met its burden on liability but not on damages with respect to PRC discounts.” Yet the “essentially punitive” nature of treble damages under the FCA made it “especially important to hold the United States to its burden of proving those damages rather than attempting to estimate them through numerical guesswork.”

Ultimately, the court was only able to calculate damages stemming from Symantec’s failure to disclose the rebate program. The United States requested that the court award 3% of the total alleged damages for the failure to disclose the rebate program. Given that the damages calculation provided by the United States’ expert was discarded, the court relied on the conservative “ballpark estimate” calculated by Symantec’s expert. Symantec’s expert calculated $11,877,224 (in comparison to the United States’ expert’s calculation of $281,552,189), and the court used this figure to award treble damages of $1,068,950.16.

The court also assessed civil penalties for the various false statements violating the FCA, finding that the following conduct amounted to false statements: (1) the submission of the materially false discount-frequency chart as part of the CSP, (2) the failure to disclose the rebate program during negotiations, (3) the original GSA price list providing falsely inflated prices, and (4) the 18 contract modifications in which Symantec reaffirmed the false CSP. Looking at the totality of the circumstances, the court awarded the maximum statutory penalty of $11,000 for each false statement—$231,000 total.

The outcome was much the same for the state of California, which proved that Symantec was liable under the state’s FCA statute but failed to meet its burden of proving damages. California’s damages expert relied on the same flawed methodology as the United States’ expert, tying its damages to the PCR violations. Still, the court was able to identify 69 false claims under the California MAS program. The court determined that the statutory minimum, $5,500 per claim, was appropriate. The court awarded $379,500 in civil penalties.

KEY TAKEAWAYS

Damages Must Be Proven with Reasonable Certainty

There are repercussions for failing to provide a comprehensible method that allows a court to find proximate causation and calculate FCA damages with reasonable certainty. Given the punitive nature of treble damages under the FCA, it is particularly important to hold the government to its burden of proving those damages rather than allowing it to rely on numerical guesswork. Here, the United States made a strategic decision to maximize its damages claim rather than apply a reliable methodology tied to the evidence showing the amount the GSA allegedly should have paid based on the PRC violations. The United States needed to identify every relevant order/purchase, which entailed categorizing hundreds of thousands of product numbers and tens of thousands of orders. The MAS Program and pricing structure is complicated, and Symantec had less-than-robust documentation of its discounting practices, but the dense methodology likely hindered the United States’ efforts to prove damages with reasonable certainty.

Failure to Properly Monitor Contract Performance Compliance Carries the Risk of Acting with “Reckless Disregard” Under the FCA Knowledge Standard

Contractors who fail to implement effective compliance practices during the performance of an MAS contract risk allegations of government-contract fraud. Despite avoiding the draconian damages alleged by the Department of Justice, Symantec was found liable under the FCA because the company’s compliance program was not sufficiently effective to ensure compliance with the MAS Program. This amounted to “reckless disregard” of the truth or falsity of the relevant information submitted to the GSA. The record indicates that Symantec employees were unaware of their roles or responsibilities related to the MAS contract. As with any government-contract relationship, contractors should regularly review and test the effectiveness of their compliance measures to mitigate enterprise risk.

If you have additional questions or need further assistance, please reach out to T. Reed Stephens (Partner, White Collar, Regulatory Defense & Investigations), Christopher Parker (Associate, White Collar, Regulatory Defense & Investigations), Elayna Napoli (Associate, General Litigation), or your Winston & Strawn relationship attorney.


[1] GSAM § 515.408

[2] GSAM § 552.215-72, 552.243-72(b)(ii), 552.238-75.