From JDSupra, David Shafer discusses a recent settlement in which a government contractor agreed to pay $9 million to settle claims that the company made false statements regarding its compliance with cybersecurity requirements under federal contracts. Staffing firms that provide workers on federal contracts should review carefully any representations they make relating to their cybersecurity compliance. David writes:
On July 8, 2022, the Department of Justice announced that Aerojet Rocketdyne Inc.—a government contractor providing propulsion and power systems for launch vehicles, missiles and satellites and other space vehicles to the Department of Defense, NASA, and other federal agencies—agreed to pay $9 Million to resolve allegations that the company violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts. This is one of the first documented cases (which PilieroMazza attorneys discussed in a 2019 podcast) where a failure to meet cybersecurity requirements alleged by a whistleblower led to an FCA settlement. Government contractors, particularly those working with the Department of Defense, should pay close attention to these settlements and ensure their cybersecurity compliance requirements are in place to avoid hefty financial penalties.
The settlement resolves a lawsuit filed in 2015 and litigated by former Aerojet employee Brian Markus against Aerojet under the qui tam or whistleblower provisions of the FCA, which permit a private party (known as a relator) to file a lawsuit on behalf of the United States and receive a portion of any recovery. Mr. Markus and Aerojet reached a settlement of the case on the second day of trial. Mr. Markus will receive $2.61 million as his share of the $9 Million recovery.
The settlement bolsters DOJ’s Civil Cyber-Fraud Initiative, announced in October 2021, which aims to hold accountable entities or individuals that:
- put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services,
- knowingly misrepresenting their cybersecurity practices or protocols, or
- knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
That the Aerojet case could proceed to trial despite multiple requests for dismissal from Aerojet offers some support for the foundational premise of the initiative: cybersecurity noncompliance can lead to FCA liability.
What Should Contractors Do?