A recent decision in the federal district court for the Eastern District of California is one of the first to recognize application of the False Claims Act (“FCA”) to Department of Defense (“DoD”) cybersecurity requirements, and will likely encourage future lawsuits alleging noncompliance with federal cybersecurity procurement regulations. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 WL 2024595 (E.D. Cal. May 8, 2019), the court denied the defendant contractor’s motion to dismiss qui tam complaint fraud allegations against the company. The complaint—brought by a former employee from the company’s cybersecurity department a month after his termination from the company—alleged the defendant fraudulently entered into DoD and National Aeronautics and Space Administration (“NASA”) contracts despite knowing that it did not meet the minimum standards required to receive the awards. The court permitted the case to move forward despite the government declining to intervene.
The primary regulations at issue in the case are DFARS 252.204-7012, which recently required, as of December 31, 2017, that contractors have a cybersecurity plan in place complying with 110 recommended security control standards set forth in NIST SP 800-171. However, the court’s decision in Aerojet Rocketdyne focused on the previous 2013 final rule and the two interim rules in 2015 implementing DFARS 252.204-7012, and also a NASA cybersecurity regulation at 48 C.F.R. § 1852.204-76 involving contractor security controls for sensitive but unclassified government information.
What makes this case interesting is the relatively recent implementation of and frequent changes in the regulations at issue, and the partial disclosure of the contractor. The legal theories that the court allowed the case to move forward under were implied false certification and fraud in the inducement (promissory fraud). As part of its motion to dismiss, the contractor argued that it had notified the government that it was not compliant with relevant DoD and NASA regulations and therefore it was impossible to satisfy the materiality prong of the FCA on that basis. However, the court was unconvinced, finding the relator properly alleged the contractor did not fully disclose the extent of its noncompliance with relevant regulations, including those related to equipment, security controls, and firewalls, and this misrepresentation continued over a period of time during which the contractor certified its compliance on invoices for payment. Quoting Escobar, the court maintained that “[w]hile it may be true that [the contractor] disclosed some of its noncompliance, a partial disclosure would not relieve defendants of liability where defendants failed to ‘disclose noncompliance with material statutory, regulatory, or contractual requirements.’” 2019 WL 2024595, at *3.
Similarly, in response to the contractor’s arguments that the government never expected full compliance given the recentness of the regulations, frequent amendments, and agency guidance relaxing the requirements as they were implemented, the court stated “[e]ven if the government never expected full technical compliance, relator properly pleads that the extent to which a company was technically compliant still mattered to the government’s decision to enter into a contract.” 2019 WL 2024595, at *5. The court also rejected the contractor’s argument that any noncompliance was immaterial because the government did not terminate the contractor after the filing of the complaint, finding that what mattered was whether materiality existed at the time the government entered into the contract and when it made payments.
The stakes in these types of cases are high—both to the government that seeks to protect its networked information, and to the contractor who may face treble FCA damages for failure to comply with the regulations designed to protect that information, which in some cases could be higher than contract value. At a minimum, this case demonstrates that contractors working under procurements subject to DoD and other cybersecurity procurement regulations must remain vigilant in confirming the accuracy of their representations to the government about their cybersecurity plan. Contractors with concerns about whether their cybersecurity plans are compliant with the regulations, or whether they have made or will make a proper disclosure to the government about their plan, should consider consulting with legal counsel or other compliance professionals.