At the heels of a recent Civil Cyber-Fraud Initiative related to cybersecurity practices and the False Claims Act (FCA), a cybersecurity-related FCA case has survived a motion for summary judgment, teeing up a trial to determine if the defendants’ cybersecurity compliance disclosures were materially incomplete and if any misstatements were knowingly made.
On February 1, 2022, U.S. District Judge William B. Shubb ruled on cross motions for summary judgment, holding that a promissory fraud claim under the FCA can continue because a genuine dispute of material fact exists regarding the extent to which Aerojet RocketDyne Inc. and Aerojet RocketDyne Holdings, Inc. (Aerojet) disclosed its noncompliance with contract provisions requiring it to safeguard information from cybersecurity threats and implement specific cybersecurity controls.
The case, United States ex rel. Markus v. Aerojet RocketDyne Holdings, Inc., was filed by Aerojet’s former senior director of Cyber Security, Compliance, and Controls. He alleged that Aerojet entered into NASA and U.S. Department of Defense (DoD) contracts knowing it did not meet the minimum cybersecurity standards and subsequently failed to fully disclose its noncompliance with cybersecurity requirements under those contracts.
The former director bases his fraud claim, in part, on Aerojet’s failure to disclose to NASA and DoD the results of annual cybersecurity audits, which found that Aerojet had several high, moderate, and low risk deficiencies and concluded that Aerojet was not fully compliant with the requisite cybersecurity requirements under the NASA and DoD contracts. The Court determined that a reasonable trier of fact could find the audit findings material under the FCA.
The Court also found that cybersecurity compliance may be material under the FCA, where such compliance is an express term of the government contract. As the Court noted, a trier of fact may find that cybersecurity compliance was material to the government because without complete knowledge about compliance the government cannot adequately protect its information.
This decision is an encouraging result for the Justice Department, which launched its Civil Cyber-Fraud Initiative in October 2021 with the stated goal of using the FCA to “hold accountable” those who “put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity and breaches.” Although the Justice Department had not intervened in the action filed several years earlier, it submitted a Statement of Interest in opposition of Aerojet’s position one week after launching that initiative.
In light of this decision and the Justice Department’s initiative, government contractors, grant recipients, and others who receive federal funds should confirm they have implemented sufficient cybersecurity processes, procedures, and controls and ensure they make accurate and fulsome disclosures to government agencies regarding their compliance with applicable cybersecurity requirements.