Ron Sharon

Cybersecurity and Technology Leader

Government Contractors Face False Claims Act Liability for Cybersecurity Non-Compliance | Bass, Berry & Sims PLC

This article originally appeared on Source link

Last week, the District Court for the Eastern District of California denied the defendant’s motion for summary judgment of a False Claims Act (FCA) count against Aerojet Rocketdyne (Aerojet) for allegedly fraudulently inducing the government to enter into federal contracts when the company knew it was not compliant with cybersecurity requirements.

The order contains important lessons for government contractors in the emerging area of FCA liability based on noncompliance with cybersecurity obligations. While the litigation is ongoing and may ultimately be resolved in Aerojet’s favor, the order demonstrates the growing importance of cybersecurity compliance.

Background

On October 29, 2015, Brian Markus, Aerojet’s former senior director of Cyber Security, Compliance and Controls, filed an FCA action alleging that Aerojet had failed to comply with its cybersecurity obligations under Department of Defense (DoD) and NASA cybersecurity contract provisions. Markus claimed that Aerojet became aware of its noncompliance after it engaged a company to audit its cybersecurity program yet continued to seek and be awarded government contracts based in part on false statements regarding cybersecurity compliance. Subsequently, Markus claimed that he refused to sign cybersecurity compliance certifications, reported the issue, and was terminated shortly after.

After the government declined to intervene, the relator filed an amended complaint including the following counts:

  1. Promissory fraud.
  2. False or fraudulent statement of record.
  3. Conspiracy to submit false claims.
  4. Retaliation.
  5. A California Labor Code violation.
  6. Wrongful termination.

The judge granted Aerojet’s motion to compel arbitration regarding employment-based claims and dismissed the conspiracy count with prejudice because the relator had failed to identify two or more parties that had engaged in the alleged conspiracy.

But the court allowed the two FCA counts – promissory fraud and false or fraudulent statement of record – to proceed, in part because:

  1. The relator alleged that while Aerojet may have disclosed that it was non-compliant with cybersecurity requirements, it failed to disclose the extent of its noncompliance fully.
  2. The fact that the government continued to contract with Aerojet despite the litigation and government investigation did not mean the noncompliance did not meet the materiality requirement because “the appropriate inquiry is whether [Aerojet’s] alleged misrepresentations were material at the time the government entered into or made payments on the relevant contracts.”
  3. The government’s decision to not intervene in the case was not relevant to the materiality of the cybersecurity certifications.
  4. Even if the government never expected full compliance with the cybersecurity standards, “the extent to which a company was technically compliant still mattered to the government’s decision to enter into a contract.”

2022 Order

After narrowing the case to the two FCA counts, the parties filed cross-motions for summary judgment. On February 1, the court granted summary judgment as to one of those two counts but allowed the other FCA count to proceed.

First, the court reduced the number of government contracts to only those awarded to Aerojet before filing the qui tam suit, reducing the number of contracts at issue from 18 to 12. The number of contracts was further reduced to seven because only six of the remaining 12 contracts included the DoD or NASA cybersecurity contract provisions, but another had a DD-254 that required Aerojet comply with all laws and regulations governing access to “Unclassified Controlled Technical Information.”

The court then turned to the relator’s FCA claims for knowingly presenting a false claim for payment or approval and knowingly making, using, or causing to be made a false record or statement material to a false or fraudulent claim. After acknowledging two doctrines of FCA liability in this context – promissory fraud (fraud in the inducement) and false certification – the court explained that a relator must demonstrate the same elements under both theories:

  1. A false statement or fraudulent course of conduct.
  2. The statement was made with scienter (knowingly).
  3. That the statement was material, causing the government to pay out money or forfeit money due.

Summary Judgment Granted on the False Certification Count

Aerojet, but not the relator, moved for summary judgment on the false certification count. Because the relator’s sole basis for its false certification claim was a single invoice payment under a contract that Aerojet had entered into after the FCA case had been filed, the court granted Aerojet summary judgment on that count.

Parties’ Summary Judgment Motions Denied on the Promissory Fraud Count and Damages

Concerning the promissory fraud claim, the court held it could not issue a summary judgment to the relator as to the false statement or fraudulent course of conduct element because Aerojet “disclosed noncompliance with the … regulations” but “the extent of the disclosure is unclear from the evidence presented at this stage.”

The court then determined that it could not issue summary judgment on the “knowingly” scienter requirement because Aerojet had actual knowledge of both the requirement to comply with the DoD/NASA cybersecurity requirements and its noncompliance with those requirements as a result of outside audits. The court also found a genuine dispute of fact as to whether compliance with the cybersecurity requirements was material to the government’s payment decision. While Aerojet was correct that the government awarded contracts to companies despite knowing they were not fully compliant with the DoD and NASA provisions, it was not possible for the court to “speculate as to the other contractors’ level of noncompliance when analyzing whether similar ‘particular types’ of claims were paid” for determination of materiality.

As to the last element of causation, the court also found there was a dispute as to whether Aerojet had disclosed the full extent of its noncompliance.

Both parties also moved for summary judgment as to damages, with the relator arguing that he had established entitlement to over $19 billion in damages, three times the sum of every invoice paid under each contract the relator alleged Aerojet had obtained by fraud, while Aerojet argued the relator had not presented any evidence that the government suffered any damages.  Unsurprisingly, the court did not believe the record supported either claim.

Lessons Going Forward

While Aerojet may ultimately prevail in this FCA litigation, the FCA case is proceeding despite the government’s awareness of the noncompliance when the contracts at issue were awarded.

Government contractors should note several issues raised in the court’s opinion. First, companies should be thoughtful and deliberate about whether to engage counsel to oversee these types of internal audits to establish a colorable claim that the results are privileged.

Second, if a contractor is not fully compliant with cybersecurity requirements, reasonable steps should be taken to remedy the lack of compliance as quickly as possible. If the intention is to compete for contracts in advance of completing that process, it is vitally important that the contractor not just disclose its ongoing efforts but also the full extent of any noncompliance.

As discussed in prior blog posts here and here, our cross-disciplinary team at Bass, Berry & Sims of FCA litigators, former prosecutors, and government contracts attorneys expect that FCA actions based on alleged noncompliance with cybersecurity requirements will continue to increase over the coming years.