United States: We Knew This Day Would Come: FCA Claim Based On Inadequate Cybersecurity Survives Dismissal Motion On Materiality Grounds

Whether the Department of Defense's (DoD) cybersecurity rules might prompt False Claims Act (FCA) liability has been a concern and debated issue ever since they were first rolled out in 2013 (modified substantially in 2015). By now, most defense contractors are subject to the latest requirements, which require both cyber incident reporting and "adequate security" compliant with NIST SP 800-171 standards (absent other specific contract instructions or contexts). It seemed inevitable that failing to live up to the government's cybersecurity standards would lead not only to contract disputes or national security concerns, but also FCA litigation. The wait is over.

In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 15-cv-2245, 2019 WL 2024595 (E.D. Ca. May 8, 2019), a relator—the company's former senior director of Cyber Security, Compliance, and Controls—has alleged that Aerojet Rocketdyne (Aerojet) impliedly, but falsely, certified to the government that it was in compliance with DoD's cybersecurity rules (as well as NASA rules). The court denied Aerojet's motion to dismiss based on inadequate materiality pleadings, which cited substantial evidence that the government was aware of the alleged noncompliance and yet continued to pay.

Holding that materiality had been adequately pled, the court first reasoned that Aerojet's alleged misrepresentations "could" be material, even though Aerojet was making aerospace and defense products for the government, not providing IT or similar services, because "cybersecurity requirements could have affected [Aerojet's] ability to handle technical information pertaining to missile defense and rocket engine technology[,]" which, in turn, could have affected Aerojet's ability to perform under its various DoD and NASA contracts. The court also rejected Aerojet's argument that materiality was lacking because Aerojet had disclosed its noncompliance with the relevant DoD and NASA regulations, but nonetheless was awarded the contract. The court acknowledged a letter from a DoD representative to the contracting officer noting that DoD could award the contract to Aerojet even though Aerojet had disclosed its inability to comply with the cybersecurity rules, adding that it appeared "relatively simple" for Aerojet to become compliant. The court reasoned, however, that although Aerojet disclosed some of its noncompliance, relator alleged that Aerojet actually understated the extent of its noncompliance, and thus the letter was evidence of materiality because it showed DoD was relying on Aerojet's allegedly false representations to determine whether to award the contract. Finally, citing the Ninth Circuit's much-discussed decision in United States ex rel. Campie v. Gilead Sciences, Inc., 862 F.3d 890 (9th Cir. 2017), the court discounted the fact that DoD and NASA continued to contract with Aerojet after learning of Aerojet's alleged misrepresentations, reasoning that "the appropriate inquiry is whether [the] alleged misrepresentations were material at the time the government entered into or made payments on the relevant contracts."

There are two key takeaways here—one generally applicable to all FCA cases and one specific to cybersecurity matters. The first is that the Ninth Circuit continues to be an unfavorable circuit for FCA defendants, as the Aerojet court relied on the fact that the alleged noncompliance "could" have affected the government's decisions, despite evidence that it actually did not. Second, contractors should be transparent and particularized about the extent to which their cybersecurity program does and does not meet applicable standards. Fortunately, since the events documented in the complaint against Aerojet, DoD has provided significantly more guidance regarding what compliance with the applicable cybersecurity rules needs to look like. Contractors now have a formalized process, through the generation of a "System Security Plan" and "Plans of Action & Milestones" under NIST SP 800-171, to document the current state of their compliance with applicable standards. Nevertheless, the Aerojet case will serve as an important benchmark, as it unfolds, for assessing FCA risk in the cybersecurity context, where a contractor's disclosures to the government regarding its security program are understood—by a relator, the government or the court—to be inadequate.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.