Aerojet and the qui tam relator have entered into a 13th hour settlement—after a jury was seated and the trial was underway—to resolve the much-watched United States ex rel. Brian Markus v. Aerojet Rocketdyne, Inc. False Claims Act (“FCA”) case. The parties—including the Department of Justice, which must consent to the settlement of qui tam claims—all seem to agree they do not want to run the risk of leaving this matter to be decided by a jury. Although it will not be the fully litigated test case for cyber-related FCA liability, the settlement shows that cyber noncompliance can have real financial consequences for government contractors.
The relator, Aerojet’s former senior director of cybersecurity, alleged the company entered into several Department of Defense and NASA contracts while knowingly misrepresenting its compliance with applicable cybersecurity requirements. The relator raised two separate legal theories—implied false certification and fraud in the inducement—based on the company’s alleged failure to fully disclose the extent of its noncompliance with cybersecurity controls required by DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and NASA FARS 1852.204-76, Security Requirement for Unclassified Information Technology Resources. In 2019, the court denied the company’s motion to dismiss, rejecting the company’s argument that the relator had failed to demonstrate the cybersecurity requirements were material. We covered that decision in a previous article.
In February of this year, Aerojet obtained a favorable summary judgment ruling on the implied false certification theory. The court rejected those claims because the only allegedly false certification was related to a contract awarded after the filing of the complaint. However, the court refused to end the relator’s claim for promissory fraud (often known as fraud in the inducement), holding that there were triable issues of fact as to whether Aerojet fraudulently induced the government to enter into contracts by materially misrepresenting its cybersecurity compliance. The open issues included factual questions as to the materiality of the cybersecurity requirements and the falsity of Aerojet’s compliance claims. See this prior article for a discussion of that decision. We also addressed a similar FCA case concerning the materiality of alleged cybersecurity vulnerabilities here.
As noted in our prior posts on this topic, the settlement confirms that noncompliance with cybersecurity requirements can form the basis of potential FCA exposure. Government contractors must carefully comply with cybersecurity requirements not just to avoid FCA liability but also contract claims and terminations for default. This is particularly true given the current administration’s focus on these issues, including the Department of Justice’s establishment of a cyber-fraud task force (see here) and last year’s Executive Order on improving the nation’s cybersecurity (see here). Aerojet may be out of the woods, but we are likely to see more cases like this now that the FCA has proven it can be a viable tool for bringing cyber-related claims.