Since the Department of Defense (DoD) and other federal agencies began implementing formal cybersecurity requirements for government contractors within the last few years, one lingering question on the minds of federal contractors and subcontractors has been: “What happens if I do not comply?” Firms, including ours, have counseled that breach of contract claims are possible, and cautioned against misrepresentations of compliance. Now a federal district court has confirmed what has long been suspected, that failure to abide by contractual and regulatory cybersecurity requirements may lead to liability under the False Claims Act.
In United States of America ex rel. Brian Markus v. Aerojet Rocketdyne, Inc., the relator, a former senior director of cybersecurity for the defendant, alleged that the company had entered into contracts with NASA and the DoD despite knowing it was not in full compliance with the contracts’ cybersecurity requirements. The plaintiff’s False Claims Act allegations were based on two related legal theories – implied false certification and promissory fraud, also known as fraud in the inducement. Citing the Supreme Court’s opinion in Universal Health Servs., Inc. v. United States ex rel. Escobar, the court characterized the first ground as an allegation that the company’s “failure to disclose noncompliance with material statutory, regulatory or contractual requirements makes those representations misleading half truths.” As for the promissory fraud count, the court described liability as attaching “to each claim submitted to the government under a contract, when the contract . . . was originally obtained through false statements or fraudulent conduct.”
Consistent with the general trend of post-Escobar case law, the company moved to dismiss the suit on the basis that the government’s actions and inactions demonstrated that the relator’s claims did not satisfy the False Claims Act’s materiality standard. Prior to award of the contracts, the company had disclosed it did not comply with all parts of the applicable cybersecurity regulations, yet NASA and the DoD awarded the contracts to the company anyway. For this reason, the company argued, any noncompliance was not material under the Escobar standard. While the court acknowledged that the company may have disclosed some of its noncompliance, it held that the relator had met his burden of alleging with sufficient particularity that the company had made only partial disclosures. The court opined that the government agencies might not have awarded the contracts at issue if they had been aware of the full extent of the company’s noncompliance.
The court went on to reject the company’s second argument that the government’s decision to continue the contracts in question following the filing of relator’s complaint indicated acquiescence. Instead, the court stated that the appropriate inquiry is whether the “alleged misrepresentations were material at the time the government entered into or made payments on the relevant contracts.” The court also rejected the notion that the government’s failure to intervene in the False Claims Act case amounted to an assessment of the merits of the case in the company’s favor. In addition, the court overruled the company’s claim that, because cybersecurity was not the central purpose of the NASA and DoD contracts (which pertained to missile defense and rocket engine technology), any noncompliance was immaterial. Rather, the court held, the cybersecurity requirements were mandated via DoD and NASA acquisition regulations. Noncompliance could have made the company ineligible to handle sensitive technical information and thus influenced the extent to which the company could perform the required work.
The company’s final argument for dismissal described the frequent amendments to DoD cybersecurity regulations in the 2013-2015 timeframe, particularly the relaxation of requirements to ease burdens on industry. Those changes, the company contended, meant that the government never actually expected full technical compliance with cybersecurity requirements. The court disagreed, holding that “[e]ven if the government never expected full technical compliance, relator properly pleads that the extent to which a company was technically compliant still mattered to the government’s decision to enter into a contract.”
In addition to embodying a narrow application of the Escobar materiality standard, the case drives home the reality that contractors and subcontractors that are subject to the government’s myriad cybersecurity requirements cannot take their compliance obligations lightly. The Government Accountability Office has already affirmed that cybersecurity compliance can be a relevant factor in contract award. See, e.g., Avosys Tech., Inc., B-415716.6 (July 30, 2018); Jardon and Howard Technologies, Inc., B-415330.3; B-415330.4 (May 24, 2018). DoD and other agencies have also made it clear that they expect compliance with the safeguarding and network penetration requirements of their cybersecurity regulations. For example, late last year, DoD issued guidance to clarify how it will communicate its cybersecurity expectations to contractors and assess their compliance with those expectations. The White House’s recent National Cybersecurity Strategy document discusses the need to strengthen federal contractor cybersecurity.
In short, cybersecurity is an issue that is not going away. Government contractors and subcontractors that do not take immediate steps to assess and secure their IT systems may soon find themselves excluded from competitions, or at the wrong end of a False Claims Act lawsuit. Given that penalties under the False Claims Act can include treble damages, which might apply to the full proceeds of a contract under a fraud in the inducement theory, the cost of not implementing cybersecurity protocols could far exceed the cost of compliance.