Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

 Skip to Content

Recent Cases Indicate Viability of False Claims Act Liability Connected to Federal Cybersecurity Standards
January 09, 2020
Introduction

Government contractors are no strangers to the numerous quality standards and assurances required by the government. Over the past several years, cybersecurity in federal contracting has emerged as yet another standard to achieve. While data breaches are big news in the private sector, the issue remained somewhat under the radar for public contracts — until now.

Last summer, two significant whistleblower cases sent ripples through the False Claims Act (FCA) community by demonstrating the specter of FCA liability resulting from the failure to comply with cybersecurity requirements in government contracts. In May, the U.S. District Court for the Eastern District of California refused to dismiss a case alleging that Aerojet Rocketdyne Holdings Inc. falsely asserted its compliance with the Department of Defense’s (DOD) cybersecurity standards. Then, in late July, the government announced that Cisco Systems Inc. agreed to pay $8.6 million to settle a whistleblower suit alleging that the company fell short of federal cybersecurity standards by selling video surveillance products with known vulnerabilities that hackers could exploit. These cases show that cybersecurity-based FCA claims may be the new frontier and that such claims may prove difficult to defeat depending on the facts in any given case.

False Claims Act Overview

The FCA, 31 U.S.C. §§ 3729–3733, prohibits the submission of false or fraudulent claims to the government. The statute imposes civil liability for knowingly (i) submitting a false or fraudulent claim for payment; (ii) causing such a claim to be submitted for payment; (iii) making, using, or causing to make or use a false record or statement material to a false or fraudulent claim; (iv) conspiring to get such a claim paid or approved; or (v) making a false record or statement to conceal or avoid an obligation to pay money to the government. The act also imposes rigorous materiality requirements, defined as “having a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property.” 31 U.S.C. § 3729(b)(4).

The FCA allows an individual, known as a relator, to bring a civil action on behalf of the government under the act’s whistleblower, or qui tam, provisions. A relator files the complaint under seal in a federal district court and serves the government with a copy of the complaint and a written statement of all material evidence supporting the allegations. The complaint may remain sealed for 60 days while the government investigates the allegations. This seal is frequently extended for months or years before the case proceeds.

Before unsealing the complaint, the government notifies the relator and the court of whether it will become formally involved, or “intervene,” in the case. If the government intervenes, the relator generally receives 15% to 25% of the government’s recovery in the event of settlement or judgment in favor of the United States. If the government declines to intervene, the relator may independently proceed with the action and may receive 25% to 30% of any recovery. In addition, the relator is entitled to a separate award for reasonable attorneys’ fees and costs.

Cases brought under the FCA can result in judgment of up to three times the amount of damages plus a monetary civil penalty per false claim. 31 U.S.C. § 3729(a)(1). The act requires a knowledge component, shown by (i) having actual knowledge; (ii) acting “in deliberate ignorance of whether the information is true or false”; or (iii) acting “in reckless disregard of the truth or falsity of the information.” 31 U.S.C. § 3729(b)(1).

U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings Inc.

The relator in Markus served as the defendants’ senior director of cybersecurity from June 2014 to September 2015. The relator alleged that the defendants’ computer systems failed to meet the minimum cybersecurity requirements necessary to receive a contract award funded by the DOD. The relator claimed that the defendants knew they were not compliant with the relevant standards as early as 2014, but that they repeatedly misrepresented their compliance with such technical standards to government officials. Based on those allegedly false and misleading statements, the government awarded one of the defendants a DOD-funded contract. The relator further alleged that the defendant employer wanted him to certify that the company was compliant with the DOD regulations when, in fact, it was not. The relator refused to sign the certification, contacted the company’s ethics hotline, and filed an internal report.

The defendants apparently terminated the relator in September 2015, and the relator filed his initial complaint alleging violations of the FCA in October 2015. The United States declined to intervene in the case. The defendants moved to dismiss the complaint, but the court denied the motion, holding that the relator “plausibly pled that defendants’ alleged failure to fully disclose its noncompliance [with federal cybersecurity requirements] was material to the government’s decision to enter into and pay on the relevant contracts.”

The case stands for the proposition that cybersecurity compliance is, and will likely continue to be, a material aspect of contracts that require certification of compliance with (i) an articulated cybersecurity standard or (ii) “adequate” protections for data.

Cisco’s $8.6 Million FCA Settlement

The Cisco settlement is believed to be the first FCA payout for a cybersecurity-related allegation. The relator initially filed the case under seal in 2011. According to the complaint, the relator tested a line of Cisco products in 2008 and discovered that there were security risks in the products’ design. Cisco terminated the relator a few months after he submitted a report on the vulnerabilities of the product line and regularly followed up after receiving no response to his report. Despite this report, Cisco marketed and sold the surveillance products to federal government agencies.

In mid-2013, almost two years after the suit’s filing, Cisco acknowledged that there were security vulnerabilities that may allow an attacker to gain full administrative privileges on the system, including the ability to alter camera feeds. There is no indication that those vulnerabilities were actually exploited. On July 31, 2019, the United States intervened in the suit for the purpose of settlement, joined by 15 states and the District of Columbia. Cisco subsequently agreed to settle the lawsuit without admitting any liability.

This settlement suggests that successful enforcement of a cybersecurity claim under the FCA may not depend on proof of an actual cyber breach; instead, the mere possibility of a breach could be sufficient. Additionally, companies must maintain a zero-tolerance policy for retaliation against cybersecurity whistleblowers. Retaliating against employees who report concerns internally may not only run afoul of FCA anti-retaliation provisions, but also could encourage those employees to file qui tam actions.

Conclusion

Companies contracting with the government must remain aware of the government’s growing focus on cybersecurity compliance. Given the fast-paced developments in technology and increasing pressure to devise ways to counteract cyberattacks, contractors should demonstrate and document on an ongoing basis that they are assessing cybersecurity compliance and regularly updating their system security plans. By doing so, companies can more fully explain their compliance with cyber requirements, and potentially thwart allegations of a “knowing” violation of any compliance standards. An effective compliance program can drive a robust cyber risk management process and promote an environment with zero-tolerance for retaliation.
Authored By
Image: Adam P. Schwartz
Adam P. Schwartz
Image: Erin J. Hoyle
Erin J. Hoyle
Related Practices
Cybersecurity and Privacy White Collar Crime & Government Investigations
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.