Cybersecurity Compliance Is Material to Public Contracts
Aerojet, a defense contractor, develops and manufactures aerospace and defense products that it then sells to the DOD and the National Aeronautics and Space Administration. During the procurement process, Aerojet purportedly discovered deficiencies in its cybersecurity systems and disclosed some, though not all, of those deficiencies to the government. Arguably, by submitting its proposal without full disclosure, Aerojet implied it was otherwise compliant. Aerojet’s former senior director of cybersecurity, compliance, and controls contacted the company’s ethics hotline and filed an internal report raising these concerns. Two months later, Aerojet fired the director.
The former director initiated an FCA action against Aerojet for impliedly certifying it complied with the applicable cybersecurity standards. The U.S. Supreme Court, in Universal Health Services, Inc. v. United States ex rel. Escobar, explained that an FCA plaintiff must show “first, the claim . . . makes specific representations about the goods or services provided; and second, the defendant’s failure to disclose noncompliance with material statutory, regulatory or contractual requirements makes those representations misleading half-truths.”
Aerojet moved to dismiss the action based on the relator’s failure to sufficiently plead materiality. Aerojet argued that it disclosed its noncompliance to the government and the government continued to pay for Aerojet’s services. Under Escobar, payment with actual knowledge of the breach is strong evidence that the breached term is not material. The district court rejected this argument. It cited the allegations that Aerojet had omitted critical qualifying information when submitting invoices for its services. The court reasoned that “a partial disclosure would not relieve defendants of liability where defendants failed to ‘disclose noncompliance with material statutory, regulatory, or contractual requirements.’” Failing to correct the DOD’s misunderstanding that Aerojet could “relatively simply” correct the noncompliance issues could amount to a material misrepresentation. The allegation was sufficient to survive a motion to dismiss.
The court also rejected Aerojet’s argument that its noncompliance did not go to the contract’s central purpose. It acknowledged the contract related to missile defense and rocket engine technology and not data protection, per se. However, the court explained that incorporating cybersecurity standards into the contract evidenced the government’s desire for Aerojet to undertake cybersecurity measures. And failing to comply with those requirements could have affected Aerojet’s ability to perform the contract. Accordingly, the cybersecurity provisions were sufficiently material to subject Aerojet to potential FCA liability.
Mitigating FCA Risk after Aerojet
Aerojet marks the first instance a court has addressed the materiality of cybersecurity requirements under the FCA. “This decision is the first time a court has said that cybersecurity is ‘central enough’ to a government contract to be considered material, at least at the motion to dismiss stage,” says Alexander (Sandy) R. Bilus, Philadelphia, PA, cochair of the ABA Section of Litigation’s Privacy & Data Security Committee. By denying the motion to dismiss, the court concluded that “the government might not have awarded the contract if it knew the extent of noncompliance with cybersecurity standards, which makes it really hard for a defense contractor to argue that it wasn’t material to the government’s decision,” adds Jeffery M. Chiow, Washington, DC, cochair of the ABA Section of Public Contract Law’s Cybersecurity, Privacy & Data Protection Committee.
Though the decision was a while in the making, practitioners are not surprised by the outcome. “This case evidences what we have been saying about the importance of cybersecurity compliance and is in line with the advice we give to clients,” notes Chiow. “We have always said there is potential for at least implied if not express false claims act certification liability where you have indicated to the government that you are meeting certain cybersecurity requirements,” states Chiow.
Indeed, Aerojet’s recognition of implied certification liability may invite a new wave of similar litigation, elevating risk management to a business priority. “A good way to mitigate your false claims risk is to respond appropriately when an employee blows the whistle and calls an ethics hotline,” advises Bilus. “In Aerojet, the relator alleged he was an employee who helped identify a cybersecurity problem, made a complaint to a hotline, then got fired for it—that is not the way you want to handle a whistleblower,” Bilus warns. At the very least, “do not retaliate against the whistleblower,” he adds.
Companies need to be proactive with their risk management strategies. “When it comes to cybersecurity, companies should be doing regular risk assessments to see what their internal and external risks are, then creating or improving safeguards to help mitigate those risks, and then testing those safeguards—it is an ongoing iterative process,” suggests Bilus. The evolving nature of IT systems, data, and external risks requires companies to remain vigilant. “Just because you may be protected on day one of a government contract does not mean you are continuing to protect data in the right way on day 300,” Bilus cautions. “Be accurate in statements you make, have a system security plan, and have actions and milestones. And if you have not met the standard, provide a plan detailing how the company will get there,” adds Chiow.
DOJ Guidelines on Credit for Disclosure, Cooperation, and Remedial Action
Following Aerojet, the U.S. Department of Justice (DOJ) issued guidance explaining how the DOJ awards credit to defendants who cooperate during an FCA investigation. “The guidance sets down in writing something that the government was already doing in FCA litigation as well as other white-collar cases,” remarks Bilus. “But it is helpful to attorneys and compliance officers to explain to employers or clients the worth of self-reporting and investing resources into compliance programs,” he adds.
The guidance indicates the government will provide reduced penalties for self-reporting or voluntary disclosure. Other forms of cooperation include making witnesses available, producing documents, providing the results of an internal investigation, and taking other steps to provide the government with pieces it needs to prosecute. “Another way to get credit is through remediation—identify the root cause and address it,” advises Bilus.
“The DOJ guidance does not say if you check these three boxes, you get a credit—it is up to the government’s discretion,” Bilus cautions. Even so, timely self-disclosing noncompliance, identifying all individuals substantially involved in or responsible for the misconduct, providing full cooperation with the investigation, and taking remedial steps provide the company the best opportunity to receive the maximum credit.