Images are still loading please cancel your preview and try again shortly.
Eingabehilfen

U.S. – Recent Cyber-FCA matter shores up DOJ’s ability to seek FCA liability for incomplete security disclosures

Last October, the DOJ announced its Civil Cyber-Fraud Initiative to incentivize government contractor employees to report non-disclosure of cyber breaches and/or noncompliance with cybersecurity requirements to the federal government. Specifically, the DOJ announced that it “will use [its] civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk.” We have previously discussed the DOJ Civil Division’s crackdown on non-compliant cyber practices and outlined how we think this effort plays into the US government’s overall approach to cybersecurity. Whenever the government announces its intent to use a tool that has been in its arsenal for some time, a natural follow-up question is whether enforcement efforts will focus on future violations, or whether there is a ready queue of prior conduct to investigate. Based on a recent summary judgment ruling in the Eastern District of California in United States ex rel. Markus v. Aerojet RocketDyne Holdings, Inc., as well as the DOJ’s filed Statement of Interest (“SOI”) in that matter, we believe that the DOJ has helped secure its ability to investigate and prosecute conduct occurring well before October 2021.

Specifically, if you are a federal contractor, have disclosed prior deficiencies or gaps to the government with respect to cybersecurity control requirements, and continued to provide goods or services on that contract with no particular outcry by your contracting counterpart, you should not assume that you are immune from the DOJ’s reach under the False Claims Act (“FCA”). You may be thinking, how is it that my company can be held liable for compliance gaps it discloses to the government? Unfortunately, in the world of litigation risk, as well as summary judgment motions, that is the wrong question. The relevant question is whether there are questions of fact as to the sufficiency of such disclosures, in light of all of the other security-related findings (whether or not related to DFARS compliance) that have been made by your organization in connection with audits, incident response, or any other process. And while whomever in your organization responsible for federal contract disclosures may not be aware of these other findings or reports, they need to be, because failure to account for them may be enough for FCA liability, and likely enough for an issue to go to a trier of fact.

The DOJ’s SOI in Aerojet RocketDyne and the court’s summary judgment opinion

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of DOJ’s new Civil Cyber-Fraud Initiative, which employs the FCA as a tool to pursue claims against government contractors and grant recipients that are allegedly engaging in cybersecurity-related fraud. The FCA includes a vital whistleblower provision that allows private parties to identify fraudulent conduct and share in recovery, all while remaining protected from retaliation. The Initiative highlights the different ways entities and individuals put U.S. information systems at risk, including by “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

Two weeks after the Initiative was announced, the DOJ filed a SOI in connection with a summary judgment motion in a cybersecurity whistleblower action, United States ex rel. Markus v. Aerojet RocketDyne Holdings, Inc., a matter in which the federal government declined to intervene in back in June 2018. While the DOJ has not intervened in this matter, it has made clear its position on a number of issues related to the materiality of contractor misrepresentations or omissions regarding cybersecurity. Specifically, we note the following positions taken in the SOI: 

  • The government’s continued payment and contracting with a vendor after being made aware of some cybersecurity-related compliance issues with respect to a particular contractor, or compliance problems generally in an industry, does not make misrepresentations regarding cybersecurity immaterial.  What matters is the factual sufficiency of any disclosures that have been made.
  • Changes to regulatory requirements should not be taken to mean that prior requirements were not material to the government at the time of contracting.
  • Where the product or services under the contract are delivered, failure to satisfy a material requirement does damage the government in that it is deprived of the full benefit of its bargain.

Just last week, the Eastern District of California ruled on the government contractor-defendants’ summary judgment motion in a manner consistent with the points raised in the SOI. Specifically, the court upheld one of the plaintiff-relator’s FCA claims on the grounds that, while compliance gap disclosures were made to the contracting federal agencies, they were not necessarily consistent with other findings/assessments (including incident response and penetration test reporting) that were identified in discovery.

Beyond the materiality of the representations at issue, a crucial question in any FCA litigation, is whether or not any claims or representations are actually false. From a litigation perspective, a more immediate question is whether there is evidence in the record that creates a factual dispute as to such representations, which would allow the claim to potentially survive until that factual dispute is assessed by a jury or judge at trial. 

In Aerojet RocketDyne, the representations at issue were not only the initial representations made in the context of contract negotiation, but also the sufficiency of Aerojet RocketDyne’s gap disclosures to the government. If these disclosures were sufficient, plaintiff’s claim would have been much less likely to succeed because it would have been difficult to claim that the government was somehow defrauded or misguided with respect to Aerojet RocketDyne’s compliance with its contractual security requirements. But there were other findings, from defendant’s internal reports, that were less optimistic than the gap disclosures to the government regarding Aerojet RocketDyne’s security, and which caused the factual dispute keeping plaintiff’s FCA claim alive. Interestingly, there are genuine open questions as to whether all of these sources should be considered by a court in this context, but those will have to be addressed at trial, unless the matter settles beforehand.

So what were those sources of information and what can we learn from this ruling when it comes to FCA risk?

  • The first, was a post-incident assessment relating to a breach that occurred on the network of a different entity in 2013, Pratt & Whitney Rocketdyne before it was acquired by Aerojet General Corp.  The court used the findings in a memo by an outside firm to conclude that there was factual evidence of four incidents that were not reported to the government, but also because the memo included a finding that the “current infrastructure will still allow malware to enter and cause further problems such as data leakage” and “large quantities of data are still being detected leaving the network.” In other words, this document was used to support two distinct alleged sins in the FCA-cyber context, which is both the failure to report prior incidents, and a failure to account for findings regarding the security of the network in representations made to the government regarding contractual compliance.
  • However, the court also relied upon findings made in annual audit reporting done by outside agencies, which appears to have identified a number of gaps and deficiencies that are more severe than the gap disclosures made by Aerojet RocketDyne to the government. In other words, the court found that in the context of the FCA, the government agency is entitled to a fulsome and accurate set of gap disclosures, and does not lose a potential claim simply because it is aware that there is some non-compliance generally. 
  • The court referenced more than one audit report, and while at least one appeared to engage specifically on DFARs-mapped control requirements, the court also considered other outside “audit” reports, which appear to include penetrating testing findings. While the notion that a successful penetration test should even be considered in this context is debatable, we note that the relevant question is whether there was language in that report that a relator or plaintiff could articulate in a manner that sounds inconsistent with federal cybersecurity control requirements, and here there apparently was.  

What is interesting from a governance context is that some of the outside audits, as described in the court’s summary judgment order, appear to have been related specifically to the issue of DFARS compliance, as they were keyed off of specific DFARS control requirements. Presumably, this is the type of assessment that would be scrutinized by an organization’s personnel/functions responsible for the contractual commitments that run along federal contracting. While this ruling suggests that all reports and findings related to cybersecurity should be accounted for in making representations to the government, we can understand how organizations may not currently be set up to encourage or guarantee such cross-functional collaboration, and suggest that any organization understand whether their internal structures account for this risk, in order to truly assess its FCA and/or whistleblower risk.

Key takeaways

1. Assess your organization’s processes

Assess your organization’s processes regarding cybersecurity in federal contracting.  Who is responsible for ensuring compliance with these controls? Are they integrated into any incident response, audit, penetration testing, or any other process that can result in findings with respect to the overall security posture of your organization? If they are siloed, fixing that is a crucial first step.

2. Have relevant resources review any prior findings from incident response, audit, and assessment reports relating to cybersecurity

Have relevant resources actually identify whether all prior incidents (and reporting) or cybersecurity related assessments (and reporting) are actually reviewed from a legal risk perspective, against existing contractual requirements and any prior disclosures made to the federal government. We would recommend doing this through outside counsel familiar with both enforcement practice and cybersecurity generally, to avoid generating disclosures that could support an FCA claim.

3. Talk to outside counsel

If any of the work above creates a potential issue, talk to outside counsel. As noted above, the Aerojet RockeDyne decision makes it at least easier for the DOJ to start thinking about enforcement actions related to prior disclosures it has received, irrespective of whether the contracting federal agency may have appeared to acquiesce to being made aware of certain gaps. So while you may feel comfort around the fact that you have made gap disclosures in the past and still have the contract, that does not mean that the very same contract could not support a later FCA claim.
x Find a Lawyer