Barron Avery, leader of BakerHostetler’s national Government Contracts team, was quoted in a Law360 article titled “Top 5 Gov’t Contract Cases of 2019.” Avery’s comments come as a sure reminder for contractors that failing to adhere to cybersecurity requirements can have serious and dire consequences to contractors themselves.
In May 2019, the U.S. District Court for the Eastern District of California held that an alleged failure to meet cybersecurity regulations can form the basis for a False Claims Act suit. This is the first such holding of its kind. The suit involved a relator who claimed rocket and missile propulsion manufacturer Aerojet Rocketdyne (Aerojet) misled the U.S. Department of Defense about Aerojet’s failure to safeguard “unclassified controlled technical information” from cybersecurity threats. In particular, the relator claimed Aerojet misrepresented and only partially disclosed to the U.S. government the extent to which Aerojet was noncompliant with cybersecurity regulations. Based on these claims, the court held the “relator has plausibly pled that defendants’ alleged failure to fully disclose its noncompliance was material to the government’s decision to enter into and pay on the relevant contracts.” Aerojet affirmatively argued that the court should dismiss the case because Aerojet disclosed its noncompliance to its government customers, several government agencies have continued to contract with Aerojet despite a government investigation into these claims, the government decided not to intervene in this action, and Aerojet’s noncompliance does not go to the central purpose of any of the contracts, which pertain to missile defense and rocket engine technology rather than cybersecurity. These defenses did not persuade the court. As a result, the court declined to dismiss the case at this stage, thereby allowing the relator to move forward with his claims against Aerojet.
In light of this ruling, federal government contractors need to pay close attention to their compliance with cybersecurity regulations. This applies to all companies with government contracts that contain cybersecurity clauses, even if those contracts don’t chiefly relate to cybersecurity or information technology products and/or services. Contractors should review their government contracts to fully understand their cybersecurity obligations therein, audit their internal cybersecurity policies accordingly, train employees with respect to these policies, and fully and accurately explain any lack of compliance to the government when and where appropriate.
As new requirements for contractors are expected to roll out this month, namely the Cybersecurity Maturity Model Certification program, contractors are well advised to spend time assessing their cybersecurity compliance.