March 11, 2020 Feature

Half-Truths and Hand Grenades: Defense Contractor Sweeps Noncompliance under the Rug

False Claims Act requires full disclosure of cybersecurity noncompliance

By Kristen L. Burge

Failing to disclose noncompliance with cybersecurity standards may subject government contractors to liability under the False Claims Act (FCA), even when data protection is not the primary purpose of the contract. Federal acquisition regulations require public contractors to adhere to particular cybersecurity requirements to protect sensitive, unclassified government information. Submitting a proposal to the government certifies the contractor complies with these standards, and failing to disclose noncompliance may violate the FCA, according to United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc.

Failure to disclose cybersecurity noncompliance may subject contractors to liability

Failure to disclose cybersecurity noncompliance may subject contractors to liability

Photo illustration by Elmarie Jara / iStockphoto by Getty Images

False Claims Act Penalizes False Material Statements

The FCA imposes liability on any public contractor that submits to the government a statement in support of a proposal when the contractor knows or should know the statement is false. For liability to attach, the false statement must be “material,” which the FCA defines as one that has “a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property.” If liable, a contractor is subject to penalties that range from $5,500 to $11,000 per violation, plus treble damages, attorney fees, and costs.

As a part of the procurement process, contractors submit proposals that are subject to the Federal Acquisition Regulation (FAR) 52.204-21. This regulation imposes basic security controls that contractors must use for safeguarding government information. Agencies may then impose additional requirements that extend beyond FAR’s mandates. The Department of Defense (DOD), for example, requires defense contractors to meet its agency-specific cybersecurity requirements (DFARS 252.204-7012). Accordingly, defense contractors must implement “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” Whether these cybersecurity requirements are material to government contracts had not been answered definitively until the U.S. District Court for the Eastern District of California addressed the issue in Aerojet.

Premium Content For:
  • Litigation Section
Join - Now