By Andy Liu, Robert Nichols & Jason C. Lynch
In April 2014, Robert Nichols co-authored a Briefing Paper entitled Cybersecurity for Government Contractors, which is available on our website.[1] The paper discussed the growing regulatory requirements that government agencies had been imposing on contractors to protect government data. It also warned that failure to abide by these new cybersecurity requirements could lead to potential False Claims Act (FCA) liability. This prediction has now come true, as described below. But first, a little more background.
The USIS Incident
Just four months after the Briefing Paper was published, on August 6, 2014, US Investigative Services LLC (USIS), the largest commercial provider of background investigations to the federal government, issued a media statement:
“Our internal IT security team recently identified an apparent external cyber-attack on USIS’ corporate network. We immediately informed federal law enforcement, the Office of Personnel Management (OPM) and other relevant federal agencies. We are working closely with federal law enforcement authorities and have retained an independent computer forensics investigations firm to determine the precise nature and extent of any unlawful entry into our network. Experts who have reviewed the facts gathered to-date believe it has all the markings of a state-sponsored attack.”
Yet within a matter of months, USIS was in bankruptcy, thousands of its employees were laid off, and its assets and remaining government contracts were transferred to another contractor. Why? USIS had committed no crime. The company had self-identified and reported the cyber breach to federal authorities and by all accounts cooperated with their investigation. And it had early detection systems that the government had approved and reviewed on a regular basis. At bottom, though, federal officials had lost confidence in the company.
The USIS incident demonstrated that contractors – because they hold valuable government information – are targets for cyber criminals and state actors. Just last year, The Washington Post reported that “China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare.” This has been precisely the government’s concern – and why new regulatory standards keep finding their way into contract clauses that govern the cyber activities of contractors. As a result of such clauses, contractors are now required to undertake cyber measures that they may not even have considered just a few years ago, and the number of such requirements is growing at a rapid pace.
And now the consequences of non-compliance have just gone up.
Applying the FCA to Cyber
Just last month, a federal judge denied a contractor’s motion to dismiss an FCA case premised on noncompliance with federal cybersecurity requirements. The case undoubtedly portends more cyber-based FCA suits.
In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Incorporated, No. 2:15-cv-2245, slip op. (E.D. Cal. May 8, 2019), defendants’ former senior director of Cyber Security, Compliance and Controls alleged that defendants fraudulently misrepresented their compliance with DoD’s and NASA’s minimum security requirements for safeguarding unclassified controlled technical information. The relator alleged that, as a result, the government was fraudulently induced to award contracts to the defendants.
The government declined to intervene in the case, and the defendants moved to dismiss the complaint for failure to plead materiality. The court disagreed, holding that the relator’s allegations that defendants did not “fully” disclose the extent of their noncompliance with relevant regulations was sufficient to survive a Rule 12(b)(6) motion. While the court did not find that compliance with cyber requirements is, in fact, material, the Markus decision is significant because of the ease by which a relator can plausibly plead a cybersecurity-based FCA case.
One of Aerojet’s more interesting arguments was that the defense industry’s general non-compliance with these regulations weighed against a finding of materiality. As an aside, and as recently reported on, for example, a survey of small and medium-sized defense contractors surveyed by the National Defense Industrial Association found that less than 60% of respondents had even read the DFARS requirement documentation, and over 45% had not read the NIST publication that forms the foundation for the DFARS requirements.[2] Without conceding the point, the court held that “[e]ven if the government never expected full technical compliance, relator properly pleads that the extent to which a company was technically compliant still mattered to the government’s decision to enter into a contract.” If this reasoning takes hold, relators would need only allege that some misrepresentation or omission was made in describing one’s cybersecurity safeguards in order to survive a motion to dismiss.[3]
It is challenging enough to keep up with the ever-evolving federal regulatory landscape on cyber. The prospect of having to face qui tam suits based on any perceived misrepresentations regarding compliance only raises the stakes. But the task is made harder still by the differing degrees to which agencies demand protection. This is exemplified in Markus, where DoD’s regulations define “adequate security” as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information” (48 C.F.R. 252.204-7012(a)), but NASA’s regulations rigidly required contractors “to protect the confidentiality, integrity, and availability of NASA [information] and protect [it] from unauthorized disclosure” (48 C.F.R. 1852.204-76(a)). On top of these technical and legal challenges, Ellen Lord, DoD Undersecretary for Acquisition and Sustainment, stated in January that DoD will begin auditing the cybersecurity procedures of companies that seek to do business with the government.
Unfortunately, we are likely to see many more cases like Markus in the coming years.
How We Can Help
Nichols Liu advises on both cybersecurity requirements for government contractors, and the fallout from breaches and lapses in compliance related to these requirements.
[1] https://nicholsliu.com/cybersecurity-for-government-contractors/
[2] http://www.ndia.org/-/media/sites/ndia/divisions/manufacturing/documents/cybersecurity-in-dod-supply-chains.ashx?la=en
[3] The court also rejected other, more traditional arguments in the wake of Escobar: that the government had been told of Aerojet’s non-compliance, if any; that the government continued to contract with Aerojet thereafter; that DOJ had declined the case; and that cybersecurity was not the “central purpose” of the missile-defense contract.