U.S. District Court for the District of Columbia Finds That Alleged Cybersecurity Vulnerability Is Not Material Under False Claims Act

FCAIn a decision sure to bring some comfort to contractors providing information technology equipment and services to the federal government, a U.S. district court judge recently granted a motion to dismiss a False Claims Act (FCA) suit, finding that the relator both failed to establish materiality under the FCA and failed to prove the necessary scienter on the part of the contractor.

In United States ex rel. Adams v. Dell Computer Corp.,[1] the relator, a self-described cybersecurity expert not affiliated with Dell, alleged that through his own independent testing methods he had uncovered a vulnerability in certain Dell computer systems.  Adams, the relator whom the government declined to join in this FCA action, argued that, by allowing this vulnerability to persist in computers furnished to the federal government, Dell had made false statements and had falsely certified compliance with government technology policies and requirements in violation of the False Claims Act.

Ruling on a motion to dismiss, the court summarily dismissed the false statements count because the complaint did not allege with particularity any specific false statements made by Dell.

In considering the second claim, the court acknowledged that the D.C. Circuit has accepted the “implied certification” theory under the FCA.  To establish implied false certification at the motion to dismiss stage, “a relator must allege that (1) defendant certified compliance with a particular contractual condition, (2) defendant failed to comply with that condition, (3) defendant knowingly misrepresented the noncompliance, and (4) compliance was a condition ‘material to the government’s decision to pay.’”[2]

In addressing whether the defect was, or could have been, material to the government’s decision to purchase the computer systems at issue, the court cited to the Supreme Court’s Escobar decision as creating a “demanding” standard for FCA materiality.[3]  The court acknowledged the government’s interest in the security of the computer systems it purchases, as well as the existence of various federal government technology policies, but found that these factors were not sufficient to establish materiality.  The court found some ambiguity as to whether the government’s technology policies extended to the defendant but, even assuming they did, noted that the mere existence of a vulnerability was not enough to establish materiality.  The government’s cybersecurity policies do not specifically require defect-free products, but only computer systems with limited vulnerabilities and the means to remediate and mitigate any vulnerabilities that might appear.  The court also found somewhat persuasive the defendant’s argument that, even after the government was aware of the relator’s allegations, federal agencies continued to purchase the computer systems in question, further demonstrating lack of materiality.

Additionally, the court found that the relator had not demonstrated that the company knew, or should have known, of the alleged defect, and therefore concluded that the FCA’s scienter requirement was not met.  In large part, the court found the relator’s claims that he was uniquely qualified to identify the vulnerability, and had only done so through complex testing using “unique methods and tools,” to call into question whether the company could have been aware of the vulnerability.  Even assuming knowledge on the part of the company’s engineers, however, the court determined that there was no reason to believe that the persons with knowledge of the alleged defect were also aware that the defect violated a material provision in agreements with federal government agencies.  The court stated that the FCA knowledge requirement required such a connection.

In summary, this decision stands for the principle that a cybersecurity vulnerability that does not violate a federal contract’s explicit terms cannot form a sufficient basis for an FCA claim, particularly where that vulnerability is difficult to identify and test.  The case can be contrasted with other recent decisions finding that certifications made with respect to cybersecurity compliance with knowledge of, or reckless disregard with respect to, their falsity can form the basis of an FCA claim.[4]  (See our prior blog article on this point.)

While the current D.C. district court decision is a welcome one for contractors faced with potential FCA claims, government contractors should continue to take great care to comply with cybersecurity requirements, particularly those explicitly included in contract terms, to avoid exposure under the False Claims Act and the threat of contract claims or termination for default.

[1] United States ex rel. Adams v. Dell Computer Corp., No. 1:15-cv-608 (D.D.C. 2020).

[2] Id. at * 6, citing United States v. Sci. Applications Int’l Corp. (SAIC), 626 F.3d 1257, 1269-71 (D.C. Cir. 2010); Universal Health Servs., Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989, 2001 (2016).

[3] Universal Health Servs., Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989.

[4] See, e.g., United States ex rel. Brian Markus v. Aerojet Rocketdyne, Inc., 381 F.Supp.3d 1240 (E.D.Cal. 2019) (denying motion to dismiss of FCA claim where contractor was alleged to have falsely certified to compliance with cybersecurity requirements); United States ex rel. James Glenn v. Cisco Systems Inc., No. 1:11-cv-00400-RJA (W.D.N.Y. 2019) (complaint alleged FCA claims related to vulnerabilities in video surveillance software; Cisco settled the case with the Justice Department for $8.6 million).

*Michaela Thornton contributed to this blog post. Michaela is a full-time law student at The George Washington University Law School and a Law Clerk with Morrison & Foerster’s government contracts practice group.