Two recent cases highlight the increased FCA risk that cybersecurity compliance poses for government contractors. The first, which recently survived a motion to dismiss, is a cautionary tale for contractors that “self-certify” that their own IT systems provide adequate security for sensitive federal information they store, process, or transmit in performance of a federal contract. The second signals the importance of accurately representing compliance with federal cybersecurity standards when selling IT products and/or services to the government. Both raise interesting issues with respect to materiality and damages under the FCA.
Podcast participants: Mike Vernick, Mike Scheimer
United States v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Cal. 2019)
In United States v. Aerojet Rocketdyne Holdings, Inc., a California federal court recently denied the defendants’ motion to dismiss a qui tam complaint. The relator in this case alleged that the defendants (two related corporate entities) failed to adequately address the vulnerability findings of an external information security assessment and falsely certified to compliance with applicable cybersecurity requirements.
This case does not involve the sale of IT products or services to the government agencies, but rather represents federal-specific protections following the flow of federal information into contractor internal IT systems. The relator alleges a failure to meet minimum cybersecurity requirements for safeguarding Controlled Unclassified Information (CUI) accessed, stored, or processed by the contractor on its own IT systems in performance of its Departemtn of Defense and NASA contracts. Specifically, the Defense Federal Acquisition Regulation Supplement (DFARS) contract clause 252.204-7012 required the contractor to provide “adequate security” on contractor IT systems that process, store, or transmit CUI. This requires selfcertifying that, at a minimum, the contractor’s IT systems meet the baseline requirements in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
The relator, who was the Director of Cyber Security, Compliance and Controls, claims that he refused to certify that the company was fully compliant with the government’s cybersecurity requirements after an external auditor found security vulnerabilities that would require further remediation. After contacting the company’s ethics hotline, and filing an internal report, the relator was terminated. The qui tam complaint followed and alleges that the company violated the FCA by submitting and conspiring to submit false certifications that it was compliant with the contractual cybersecurity requirements.
United States ex rel. Glenn v. Cisco Systems, Inc., No. 1:11-cv-00400- RJA (W.D.N.Y. July 31, 2019)
According to a July 31, 2019 press release, Cisco Systems, Inc. agreed to pay $8.6 million ($2.6 million to the federal government and $6 million to state government purchasers) to resolve allegations that its Video Surveillance Manager (VSM) product did not comply with government customer cybersecurity requirements. The relator alleges that, while working for a Danish networking company and Cisco partner, NetDesign, he identified security vulnerabilities in Cisco’s VSM, which could allow an attacker to exploit the system and even gain “administrator” rights (which would enable future abuse to go undetected). The security flaws were also alleged to potentially compromise the security of other systems connected to the VSM.
The contracts through which government entities purchased the VSM required the company to represent that its surveillance products were compliant with federal information security requirements, including standards published by the National Institute of Standards in Technology (NIST). The complaint asserts that claims for payment for the VSM were false under the federal and state false claims acts because the alleged security flaws: (1) rendered the VSM worthless; and (2) rendered the contractor’s certification that the VSM was compliant with federal information security requirements false.
Implications for Future FCA Cases
Drawing from these cases as examples, one key element of cybersecurity related cases is materiality. An FCA claim is material if it “[has] a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property.”1 As outlined by the Supreme Court in Universal Health Servs., Inc. v United States ex rel. Escobar the materiality standard is “demanding” and looks in part to the effect the alleged misrepresentation has on the government’s behavior.2 Whether cybersecurity requirements are material can depend on several factors, including the extent to which the government was aware of a contractor’s noncompliance, and how closely integrated the applicable cybersecurity requirements are to the products and/or services being provided by the contractor. Notably, in Aerojet, the court rejected several defense arguments focused on materiality.
First, citing Escobar, the defendants argued that any noncompliance was immaterial because the government continued to pay invoices even though the defendants had disclosed that they were not compliant with relevant government cybersecurity regulations. The district court rejected this argument after finding the complaint adequately alleged the contractor had not disclosed the full extent of its noncompliance.3
Second, the defendants argued the government’s willingness to continue contracting with the company after it began investigating the defendant’s cybersecurity compliance was evidence that the misrepresentations were not material, as was the government’s decision not to intervene. The court rejected these arguments explaining, “the appropriate inquiry is whether [the company’s] alleged misrepresentations were material at the time the government entered into or made payments on the relevant contracts.”4
Third, the defendants argued the company’s noncompliance with cybersecurity regulations “does not go to the central purpose of any of the contracts, as the contracts pertain to missile defense and rocket engine technology, not cybersecurity.”5 The court disagreed, stating that the DoD’s and NASA’s “acquisition regulations require that the defense contractor undertake cybersecurity specific measures before the contractor can handle certain technical information” and “misrepresentations as to compliance with these cybersecurity requirements could have influenced the extent to which [the company] could have performed the work specified by the contract.”6
Lastly, the defendants argued that “the defense industry’s noncompliance with these regulations as a whole weighs against a finding of materiality.”7 The court rejected this, noting “[e]ven if the government never expected full technical compliance, relator properly pleads that the extent to which a company was technically [compliant] still mattered to the government’s decision to enter into a contract.”8
The Aerojet case signals that the relationship between the regulations that have been allegedly violated and the nature of the contract, as well as the extent to which the government was aware of the noncompliance at the time of contracting will continue to shape materiality analysis in cybersecurity-related FCA claims.
The nature of damages will likely be another area of focus in FCA cases based on cybersecurity noncompliance.
The complaint in Aerojet raises a fraud in the inducement theory of liability, claiming that the defendants caused the government to award contracts by misrepresenting their compliance with the applicable cybersecurity requirements. Succeeding on such a theory could result in damages based on the full value of the contracts improperly awarded. Defendants, for their part, will likely advance arguments asserting that any alleged damages should be based on the reduced value of services caused by the alleged cybersecurity non-compliance. While it is still unclear in this early stage of cybersecurity-related FCA cases whether a fraudulent inducement theory will prevail, the potential for such damages pose significant monetary risk for federal contractors who “self-certify” or otherwise are required to comply with federal cybersecurity requirements.
Key issues that could impact the scope of potential damages for falsely certifying compliance with cybersecurity requirements are: (1) whether the court views the certifications as material to the government’s decision to award a contract; and (2) whether any benefit the government received, despite the alleged non-compliance, should be considered when calculating damages.
Government contractors have been concerned for some time that cybersecurity requirements will give rise to FCA claims. That fear is now a reality. Government contractors should strive to cabin their cyber-related FCA risk by regularly reviewing their compliance with fast-developing cybersecurity rules and regulations. It is also important to continue monitoring cybersecurity-related court decisions that address whether non-compliance with cybersecurity rules and regulations is material for FCA purposes and what the appropriate measure of damages is if and when an FCA claim can be sustained.
1. 31 U.S.C. § 3729(b)(4).
2. 136 S. Ct. 1989, 2002-03 (2016).
3. Aerojet, 381 F. Supp. 3d at 1246-7.
4. Id. at 1248.
7. Id. at 1248-49.
8. Id. at 1249.