We Knew This Day Would Come: FCA Claim Based On Inadequate Cybersecurity Survives Dismissal Motion On Materiality Grounds

Author:Mr Mark Colley, Tom McSorley and Sonia Tabriz
Profession:Arnold & Porter

Whether the Department of Defense's (DoD) cybersecurity rules might prompt False Claims Act (FCA) liability has been a concern and debated issue ever since they were first rolled out in 2013 (modified substantially in 2015). By now, most defense contractors are subject to the latest requirements, which require both cyber incident reporting and "adequate security" compliant with NIST SP 800-171 standards (absent other specific contract instructions or contexts). It seemed inevitable that failing to live up to the government's cybersecurity standards would lead not only to contract disputes or national security concerns, but also FCA litigation. The wait is over.

In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 15-cv-2245, 2019 WL 2024595 (E.D. Ca. May 8, 2019), a relator—the company's former senior director of Cyber Security, Compliance, and Controls—has alleged that Aerojet Rocketdyne (Aerojet) impliedly, but falsely, certified to the government that it was in compliance with DoD's cybersecurity rules (as well as NASA rules). The court denied Aerojet's motion to dismiss based on inadequate materiality pleadings, which cited substantial evidence that the government was aware of the alleged noncompliance and yet continued to pay.

Holding that materiality had been adequately pled, the court first reasoned that Aerojet's alleged misrepresentations "could" be material, even though Aerojet was making aerospace and defense products for the government, not providing IT or similar services, because "cybersecurity requirements could have affected [Aerojet's] ability to handle technical information pertaining to missile defense and rocket engine technology[,]" which, in turn, could have affected Aerojet's ability to perform under its various DoD and NASA contracts. The court also rejected Aerojet's argument that materiality was lacking because Aerojet had disclosed its noncompliance with the relevant DoD and NASA regulations, but nonetheless was awarded the contract. The court acknowledged a letter from a DoD representative to the contracting officer noting that DoD could award the contract to Aerojet even though Aerojet had disclosed its inability to comply with the cybersecurity rules, adding that it appeared "relatively simple" for Aerojet to become compliant. The court reasoned, however, that although Aerojet disclosed some of its noncompliance, relator alleged that...

To continue reading