Can a Noncompliant Cybersecurity Program be a False Claim?
By: Michael Hawkes
Published Date: June 17, 2019
By now, government contractors generally are familiar with the Federal Government’s concerns over cybersecurity and the FAR and DFARS clauses requiring contractors to implement cybersecurity programs and otherwise safeguard information systems that process, store, or transmit federal contract information. See, FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems; DFARS 52.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. There has been some question as to what consequences a contractor could face if it fails to comply with these clauses. Recently, the United States District Court for the Eastern District of California indicated that a contractor could face False Claims Act liability. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 (E.D. Ca. May 8, 2019).
In that case, the qui tam plaintiff, a former senior director of Cyber Security, Compliance, and Controls for Aerojet Rocketdyne Holdings, Inc. and Aerojet Rocketdyne, Inc., brought an action against the companies for, among other things, violations of the False Claims Act. The False Claims Act allegations involved promissory fraud (i.e., fraud in the inducement), use of false or fraudulent statements or records, and conspiracy to submit false claims.
The plaintiff alleged that the defendants fraudulently entered into contracts with the Department of Defense and NASA knowing that the companies did not comply with DFARS 252.204-7012 and a NASA regulation, NFS 1852.204-76, Security Requirements for Unclassified Information Technology Resources, that required contractors to protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure. According to the court, unlike DFAR 252.204-7012, NFS 1852.204.76 did not make allowances for the contractor to use alternative controls or protective measures to meet the standards.
The plaintiff asserted that the defendants repeatedly misrepresented their compliance with the cybersecurity technical requirements in their communications with government officials and that the Government awarded the companies a contract based on these allegedly false and misleading statements. He further alleged that the companies knew they were not compliance after they hired a consultant to audit their compliance.
The defendants moved to dismiss the False Claims Act allegations arguing that any alleged violations were not material. The court denied the motion with regard to the fraudulent inducement and false statement actions but granted the motion with regard to the conspiracy action.
The court noted that the False Claims Act imposes liability on anyone who knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval or knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim. In situations other than false or fraudulent claims for payment, liability also can attach for false certifications and fraud in the inducement.
The court rejected the defendants’ arguments that the plaintiff could not satisfy the materiality requirement because the companies disclosed to government customers that they were not compliant with the DoD and NASA regulations because the plaintiff alleged with sufficient particularity that the defendants did not fully disclose the extent of the companies’ noncompliance. The court noted that a partial disclosure would not relieve the defendants of liability where the defendants failed to disclose noncompliance with material statutory, regulatory, or contractual requirements. The court found that the plaintiff sufficiently alleged that the alleged misrepresentations as to the extent of the defendants’ noncompliance could have affected the Government decision to enter into and pay on the contracts at issue.
Whether the plaintiff ultimately will prevail on its False Claims actions remains to be seen. However, this case is a stark reminder of the potential breadth of the False Claims Act with respect to government contracts. Contractor representations and certifications with respect to compliance with contract requirements must be accurate. Where the contractor is not in compliance, the contractor should consider advising the Government of the noncompliance. Any such disclosure, however, also must be accurate. Partial disclosures may not protect the contractor from liability.