DOJ Notches Key Win for Civil Cyber-Fraud Initiative: Court Holds That Cyber Security Compliance May Be Material Under the False Claims Act

By way of background, in October 2021, Deputy Attorney General Lisa Monaco announced the Civil Cyber-Fraud Initiative, which was aimed at using "the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients." DOJ explained that it intends to use the FCA to "hold accountable" those who "put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches." Our past coverage of the Initiative can be found here.

Weeks after announcing the Initiative, DOJ launched its opening salvo in the Aerojet case pending in the Eastern District of California. There, a former Senior Director of Cyber Security, Compliance, and Controls at Aerojet RocketDyne Inc. and Aerojet RocketDyne Holdings, Inc. (AR) accused the company of fraudulently obtaining billions of dollars of NASA and DoD contracts and subcontracts while failing to maintain mandatory NASA FAR and DFARS cybersecurity requirements, in violation of the FCA. The relator asserted FCA claims sounding in promissory fraud (i.e., fraud in the inducement) and false certification. The government declined to intervene in the case in June 2018.

After the parties cross-moved for summary judgment, on October 20, 2021, the government filed a 13-page Statement of Interest effectively defending the FCA theory announced by DAG Monaco. The government's filing contested AR's argument that noncompliance with cybersecurity requirements was immaterial to government payment decisions under the FCA, even if the government paid claims while aware of compliance problems in the industry writ large or some of the compliance issues at AR. The government also contested AR's assertion that damages were lacking because it "ignores that the government did not just contract for rocket engines, but also contracted with AR to store the government's technical data on a computer system that met certain cybersecurity requirements."

The Court's February 1, 2022 opinion largely sided with the government, ruling that there was at least a triable issue of fact whether AR violated the FCA by committing promissory fraud. Based on the evidence, the Court concluded that there was a genuine issue of fact whether AR had misrepresented its cybersecurity compliance to DoD and NASA because, although it made disclosures to the agencies about these issues, it was unclear if the disclosures were complete. The Court also found that the relator's "supporting evidence shows that defendants knew AR needed to comply with the DFARS and NASA FARS clauses, and were aware of AR's noncompliance and the information obtained through outside audits," which was sufficient to create a triable fact as to scienter.

The Court also ruled that there was a genuine issue of fact whether cybersecurity noncompliance met the FCA's materiality requirement. The Court noted that while materiality is not established merely because the "government designates compliance with a particular statutory, regulatory, or contractual requirement as a condition of payment" (quoting the Supreme Court's pivotal FCA decision in Universal Health Services, Inc. v. United States ex rel. Esocbar, 136 S. Ct. 1989, 2003 (2016)), the contracts' incorporation of cybersecurity regulations were relevant to materiality. And "[i]t may reasonably be inferred that compliance was significant to the government because without complete knowledge about compliance, or noncompliance, with the clauses, the government cannot adequately protect its information."

The Court rejected AR's argument that noncompliance was immaterial merely because the government paid claims to AR and other contractors despite being aware of cybersecurity noncompliance issues, reasoning that "the court cannot speculate as to other contractors' level of noncompliance when analyzing whether similar … claims were paid." The Court also noted that it was unclear whether the government had "actual knowledge" of AR's compliance issues given AR's potentially incomplete disclosures.

Finally, the Court ruled that there was a genuine issue of material fact as to the element of causation, because "a reasonable trier of fact could find that the government might not have contracted with AR, or might have contracted at a different value, had it known what relator argues AR should have told the government." Although the Court denied the parties' motions as to the promissory fraud theory, it granted AR's motion as to the relator's false certification theory, which was based on contracts that the Court previously declined to consider. It also denied summary judgment to both parties on the issue of damages.  

The DOJ's Civil Cyber-Fraud Initiative, bolstered by the Aerojet case, reinforces that government contractors, grantees, and others who receive federal funds should heed DOJ's warnings and maintain strong cybersecurity protocols, practices, and procedures. Not only is this good business, but it will mitigate risks posed by a government investigation or whistleblower suit, which could give rise to substantial treble damages and civil penalties under the FCA, as well as debarment.