A California federal court recently allowed a relator’s False Claims Act suit against two federal contractors to proceed where the relator’s allegations centered on purported noncompliance with federal cybersecurity requirements. As discussed below, this case should serve as a wake-up call to federal contractors, as it not only confirms that perceived noncompliance with federal cybersecurity requirements may give rise to liability under the False Claims Act, but it also provides a potential roadmap for other relators.
Summary of Relevant Cybersecurity Requirements
By way of background, the court summarized the relevant cybersecurity requirements as follows:
Government contracts are subject to Federal Acquisition Regulations [FAR] and are supplemented by agency specific regulations. On November 18, 2013, the DoD issued a final rule, which imposed requirements on defense contractors to safeguard unclassified controlled technical information from cybersecurity threats. 48 C.F.R. § 252.204-7012 (2013). The rule required defense contractors to implement specific controls covering many different areas of cybersecurity, though it did allow contractors to submit an explanation to federal officers explaining how the company had alternative methods for achieving adequate cybersecurity protection, or why standards were inapplicable. See id. In August 2015, the DoD issued an interim rule, modifying the government’s cybersecurity requirements for contractor and subcontractor information systems. 48 C.F.R. § 252.204-7012 (Aug. 2015). The interim rule incorporated more cybersecurity controls and required that any alternative measures be “approved in writing prior by an authorized representative of the DoD [Chief Information Officer] prior to contract award.” Id. at 252.204-7012(b)(1)(ii)(B). The DoD amended the interim rule in December 2015 to allow contractors until December 31, 2017 to have compliant or equally effective alternative controls in place. See 48 C.F.R. § 252.204-7012(b)(1)(ii)(A) (Dec. 2015). Each version of this regulation defines adequate security as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” 48 C.F.R. § 252.204-7012(a).
Further, as the court explained:
Contractors awarded contracts from NASA must comply with relevant NASA acquisition regulations. 48 C.F.R. § 1852.204-76 lists the relevant security requirements where a contractor stores sensitive but unclassified information belonging to the federal government. Unlike the relevant DoD regulation, this NASA regulation makes no allowance for the contractor to use alternative controls or protective measures. A NASA contractor is required to “protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure.” 48 C.F.R. § 1852.204-76(a).
Factual and Procedural Background
The relator worked for the defendants, two companies that “develop and manufacture products for the aerospace and defense industry,” as the senior director of Cyber Security, Compliance, and Controls from June 2014 to September 2015.
The relator alleges that the defendants “fraudulently entered into contracts with the federal government despite knowing that they did not meet the minimum standards required to be awarded a government contract.”
The relator also alleges “that when he started working for defendants in 2014, he found that defendants’ computer systems failed to meet the minimum cybersecurity requirements to be awarded contracts funded by the DoD or NASA.” He claims that the defendants knew that they were “not compliant with the relevant standards as early as 2014,” and that they “repeatedly misrepresented [their] compliance with these technical standards in communications with government officials.”
The relator additionally alleges “that the government awarded [one of the companies] a contract based on these allegedly false and misleading statements,” and that “[i]n July 2015, relator refused to sign documents that defendants were now compliant with the cybersecurity requirements, contacted the company’s ethics hotline, and filed an internal report.”
Defendants terminated relator’s employment in September 2015, and the relator filed his initial complaint with the court in October 2015. In his complaint, the relator alleges, among other things, that defendants violated the False Claims Act, which imposes liability on anyone who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval,” 31 U.S.C. § 3729(a)(1)(A), or “knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim,” id. § 3729(a)(1)(B).
Thereafter, the defendants filed a motion to dismiss the case, alleging that the relator had failed to state a claim upon which relief can be granted. The court, however, denied the defendants’ motion to dismiss the relator’s primary False Claims Act count, concluding that the “relator has plausibly pled that defendants’ alleged failure to fully disclose its noncompliance [with federal cybersecurity requirements] was material to the government’s decision to enter into and pay on the relevant contracts.”
The court’s recent decision in this case should serve as a wake-up call to all federal government contractors that are subject to cybersecurity requirements. While government contractors have long feared that perceived noncompliance with federal cybersecurity requirements may give rise to liability under the False Claims Act, as noted above, the court’s decision in this case not only validates those fears, but provides a potential roadmap for other relators.
In light of this new reality, federal contractors would be wise to review and document their compliance with relevant cybersecurity requirements, and also be proactive when it comes to identifying and remedying any potential shortcomings.
If you have any questions about this noteworthy development, or about any related issues, please do not hesitate to contact Aron Beezley.