By Andy Liu, Robert Nichols, Haaleh Katouzian, Madison Plummer, and Samantha Hoover

Years after relator Brian Markus brought a qui tam action against Aerojet Rocketdyne Holdings, Inc. (“Aerojet Rocketdyne”), the United States Department of Justice (“DOJ”) announced that the government contractor would pay $9 million to the Government to resolve False Claims Act (“FCA”) allegations.[1]  As we wrote about in 2019, Markus alleged that Aerojet Rocketdyne had fraudulently induced the government to award Aerojet Rocketdyne contracts by misrepresenting its compliance with cybersecurity requirements.[2]  Though the government declined intervention, the case ultimately went to trial and settled on the second day of the proceeding.  Markus will receive over $2.6 million of the settlement amount, which will likely inspire similar qui tam actions.

The ever-changing landscape of cybersecurity regulations, compliance, and enforcement can be difficult to track and navigate.[3]  DOJ commenced its Civil Cyber-Fraud Initiative in October 2021.[4]  DOJ’s announcement of the Aerojet Rocketdyne settlement put the Initiative into context:

The Department’s Civil Cyber-Fraud Initiative . . . aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.[5]

Earlier this year, DOJ announced what it claimed was its first FCA settlement under the Civil Cyber-Fraud initiative against a different contractor.[6]  The Settlement Agreement does not mention cybersecurity and, instead, the DOJ alleged that the contractor failed to disclose that it had not complied with the terms of the contract relating to the storage of medical records when it left scanned copies of some records on an internal network drive that could have been accessed by non-clinical staff.   DOJ’s touting of this settlement as a part of its current initiative to hold companies accountable for putting U.S. information systems at risk shows how aggressive they will be to categorize allegations as “cyber fraud.”

The Civil Cyber-Fraud Initiative came in the wake of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which stressed the federal government’s role in identifying, deterring, protecting against, detecting, and responding to sophisticated malicious cyber campaigns.[7]  Notably, that Executive Order also directed the Office of Management and Budget (“OMB”) to review the Federal Acquisition Regulation (“FAR”) and provide recommendations for updates to contract requirements and clauses.  Several agencies have also initiated notice & comment rulemaking procedures describe their intent to amend agency FAR supplements to enhance cybersecurity obligations.[8]

Just as we predicted FCA cases against Federal contractors for non-compliance, we also anticipate that there will be one or more suspensions and debarments for contractors who are not presently responsible regarding cyber compliance.  As such, it’s important for contractors to understand the regulatory obligations and to pursue a holistic approach that includes technical, governance, and legal risk management aspects.

Nichols Liu has teamed with a leading cyber compliance firm to develop a templated approach to cyber compliance.  We also have extensive experience advising clients on FCA matters, having served as lead counsel for hundreds of FCA cases.