The DOJ’s SOI in Aerojet RocketDyne and the court’s summary judgment opinion
On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of DOJ’s new Civil Cyber-Fraud Initiative, which employs the FCA as a tool to pursue claims against government contractors and grant recipients that are allegedly engaging in cybersecurity-related fraud. The FCA includes a vital whistleblower provision that allows private parties to identify fraudulent conduct and share in recovery, all while remaining protected from retaliation. The Initiative highlights the different ways entities and individuals put U.S. information systems at risk, including by “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
Two weeks after the Initiative was announced, the DOJ filed a SOI in connection with a summary judgment motion in a cybersecurity whistleblower action, United States ex rel. Markus v. Aerojet RocketDyne Holdings, Inc., a matter in which the federal government declined to intervene in back in June 2018. While the DOJ has not intervened in this matter, it has made clear its position on a number of issues related to the materiality of contractor misrepresentations or omissions regarding cybersecurity. Specifically, we note the following positions taken in the SOI:
- The government’s continued payment and contracting with a vendor after being made aware of some cybersecurity-related compliance issues with respect to a particular contractor, or compliance problems generally in an industry, does not make misrepresentations regarding cybersecurity immaterial. What matters is the factual sufficiency of any disclosures that have been made.
- Changes to regulatory requirements should not be taken to mean that prior requirements were not material to the government at the time of contracting.
- Where the product or services under the contract are delivered, failure to satisfy a material requirement does damage the government in that it is deprived of the full benefit of its bargain.
Just last week, the Eastern District of California ruled on the government contractor-defendants’ summary judgment motion in a manner consistent with the points raised in the SOI. Specifically, the court upheld one of the plaintiff-relator’s FCA claims on the grounds that, while compliance gap disclosures were made to the contracting federal agencies, they were not necessarily consistent with other findings/assessments (including incident response and penetration test reporting) that were identified in discovery.
Beyond the materiality of the representations at issue, a crucial question in any FCA litigation, is whether or not any claims or representations are actually false. From a litigation perspective, a more immediate question is whether there is evidence in the record that creates a factual dispute as to such representations, which would allow the claim to potentially survive until that factual dispute is assessed by a jury or judge at trial.
In Aerojet RocketDyne, the representations at issue were not only the initial representations made in the context of contract negotiation, but also the sufficiency of Aerojet RocketDyne’s gap disclosures to the government. If these disclosures were sufficient, plaintiff’s claim would have been much less likely to succeed because it would have been difficult to claim that the government was somehow defrauded or misguided with respect to Aerojet RocketDyne’s compliance with its contractual security requirements. But there were other findings, from defendant’s internal reports, that were less optimistic than the gap disclosures to the government regarding Aerojet RocketDyne’s security, and which caused the factual dispute keeping plaintiff’s FCA claim alive. Interestingly, there are genuine open questions as to whether all of these sources should be considered by a court in this context, but those will have to be addressed at trial, unless the matter settles beforehand.
So what were those sources of information and what can we learn from this ruling when it comes to FCA risk?
- The first, was a post-incident assessment relating to a breach that occurred on the network of a different entity in 2013, Pratt & Whitney Rocketdyne before it was acquired by Aerojet General Corp. The court used the findings in a memo by an outside firm to conclude that there was factual evidence of four incidents that were not reported to the government, but also because the memo included a finding that the “current infrastructure will still allow malware to enter and cause further problems such as data leakage” and “large quantities of data are still being detected leaving the network.” In other words, this document was used to support two distinct alleged sins in the FCA-cyber context, which is both the failure to report prior incidents, and a failure to account for findings regarding the security of the network in representations made to the government regarding contractual compliance.
- However, the court also relied upon findings made in annual audit reporting done by outside agencies, which appears to have identified a number of gaps and deficiencies that are more severe than the gap disclosures made by Aerojet RocketDyne to the government. In other words, the court found that in the context of the FCA, the government agency is entitled to a fulsome and accurate set of gap disclosures, and does not lose a potential claim simply because it is aware that there is some non-compliance generally.
- The court referenced more than one audit report, and while at least one appeared to engage specifically on DFARs-mapped control requirements, the court also considered other outside “audit” reports, which appear to include penetrating testing findings. While the notion that a successful penetration test should even be considered in this context is debatable, we note that the relevant question is whether there was language in that report that a relator or plaintiff could articulate in a manner that sounds inconsistent with federal cybersecurity control requirements, and here there apparently was.
What is interesting from a governance context is that some of the outside audits, as described in the court’s summary judgment order, appear to have been related specifically to the issue of DFARS compliance, as they were keyed off of specific DFARS control requirements. Presumably, this is the type of assessment that would be scrutinized by an organization’s personnel/functions responsible for the contractual commitments that run along federal contracting. While this ruling suggests that all reports and findings related to cybersecurity should be accounted for in making representations to the government, we can understand how organizations may not currently be set up to encourage or guarantee such cross-functional collaboration, and suggest that any organization understand whether their internal structures account for this risk, in order to truly assess its FCA and/or whistleblower risk.