Contractors’ Cybersecurity Violations Potentially Actionable Under False Claims Act
Bloomberg Law
A federal district court in California recently allowed a relator’s False Claims Act lawsuit against two federal contractors to proceed where the allegations centered on purported noncompliance with federal cybersecurity requirements.
This case in the U.S. District Court for the Eastern District of California (Markus v. Aerojet Rocketdyne Holdings Inc., No. 2:15-cv-2245) should serve as a wake-up call to all federal government contractors that are subject to cybersecurity requirements.
Although federal contractors have long feared that perceived noncompliance with federal cybersecurity requirements may give rise to liability under the FCA, as mentioned above, the court’s decision in this case not only validates those fears, but it is a portent of things to come and provides a potential roadmap for other relators.
Defendant Companies in Aerospace, Defense Industry
In this case, the relator worked for the defendants, two companies that “develop and manufacture products for the aerospace and defense industry,” as the senior director of Cyber Security, Compliance, and Controls from June 2014 to September 2015.
The relator alleged the defendants “fraudulently entered into contracts with the federal government despite knowing that they did not meet the minimum standards required to be awarded a government contract.”
The relator also alleged “that when he started working for defendants in 2014, he found that defendants’ computer systems failed to meet the minimum cybersecurity requirements to be awarded contracts funded by the DoD or NASA.” The relator additionally claimed the defendants knew that they were “not compliant with the relevant standards as early as 2014,” and that they “repeatedly misrepresented [their] compliance with these technical standards in communications with government officials.”
The relator, moreover, alleged “that the government awarded [one of the companies] a contract based on these allegedly false and misleading statements,” and that “[i]n July 2015, relator refused to sign documents that defendants were now compliant with the cybersecurity requirements, contacted the company’s ethics hotline, and filed an internal report.”
The defendants apparently terminated the relator’s employment in September 2015, and the relator filed his initial complaint with the Court in October 2015. In his complaint, the relator alleged, inter alia, that the defendants violated the False Claims Act, which imposes liability on anyone who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval,” 31 U.S.C. § 3729(a)(1)(A), or “knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim,” id. § 3729(a)(1)(B).
Subsequently, the defendants filed a motion to dismiss the case, alleging the relator had failed to state a claim upon which relief can be granted. The Court, however, denied the defendants’ motion to dismiss the relator’s primary False Claims Act count, holding that the “relator has plausibly pled that defendants’ alleged failure to fully disclose its noncompliance [with federal cybersecurity requirements] was material to the government’s decision to enter into and pay on the relevant contracts.”
Summary of Relevant Cybersecurity Requirements
The court, by way of background, summarized the relevant cybersecurity requirements as follows:
Government contracts are subject to Federal Acquisition Regulations [FAR] and are supplemented by agency specific regulations. In November 2013, the DoD issued a final rule, which imposed requirements on defense contractors to safeguard unclassified controlled technical information from cybersecurity threats. 48 C.F.R. § 252.204-7012 (2013).
The rule required defense contractors to implement specific controls covering many different areas of cybersecurity, though it did allow contractors to submit an explanation to federal officers explaining how the company had alternative methods for achieving adequate cybersecurity protection, or why standards were inapplicable. See id. In August 2015, the DoD issued an interim rule, modifying the government’s cybersecurity requirements for contractor and subcontractor information systems. 48 C.F.R. § 252.204-7012 (Aug. 2015).
The interim rule incorporated more cybersecurity controls and required that any alternative measures be “approved in writing prior by an authorized representative of the DoD [Chief Information Officer] prior to contract award.” Id. at 252.204-7012(b)(1)(ii)(B).
The DoD amended the interim rule in December 2015 to allow contractors until Dec. 31, 2017, to have compliant or equally effective alternative controls in place. See 48 C.F.R. § 252.204-7012(b)(1)(ii)(A) (Dec. 2015). Each version of this regulation defines adequate security as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” 48 C.F.R. § 252.204-7012(a).
Moreover, with respect to NASA contracts, in particular, the Court explained:
Contractors awarded contracts from NASA must comply with relevant NASA acquisition regulations. 48 C.F.R. § 1852.204-76 lists the relevant security requirements where a contractor stores sensitive but unclassified information belonging to the federal government.
Unlike the relevant DoD regulation, this NASA regulation makes no allowance for the contractor to use alternative controls or protective measures. A NASA contractor is required to “protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure.” 48 C.F.R. § 1852.204-76(a).
The Takeaway
In light of this new reality, federal contractors must ensure that they are familiar with applicable cybersecurity requirements.
In addition, federal contractors would be wise to review and document their compliance with relevant cybersecurity requirements, and also be proactive when it comes to identifying and remedying any potential shortcomings.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
The original article, "Contractors’ Cybersecurity Violations Potentially Actionable Under False Claims Act," first appeared in Bloomberg Law on June 18, 2019.
