Aerojet Rocketdyne received another blow last week in its long running battle to end a 2015 False Claims Act suit alleging it lied about its compliance with cybersecurity requirements in order to win several federal contracts. In United States ex rel. Brian Markus v. Aerojet Rocketdyne, Inc., the relator, Aerojet’s former senior director of cybersecurity, alleged that the company entered into several Department of Defense and NASA contracts while knowingly misrepresenting its compliance with cybersecurity requirements. The relator raised two separate legal theories—implied false certification and fraud in the inducement—based on the company’s alleged failure to fully disclose the extent of its noncompliance with cybersecurity controls required by DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and NASA FARS 1852.204-76, Security Requirement for Unclassified Information Technology Resources. In 2019, the company’s motion to dismiss on the ground that the relator failed to demonstrate the cybersecurity requirements at issue were material was denied. We covered that decision in a previous article.
Eastern District of California Judge William Shubb’s most recent opinion on the parties’ cross-motions for summary judgment spells more bad news for the company. Aerojet was able to obtain a favorable ruling on the implied false certification theory: those claims were denied because the only allegedly false certification was related to a contract awarded after the filing of the complaint and it was therefore not relevant to the litigation. However, the court refused to end the relators’ claim for promissory fraud (or fraud in the inducement), holding that there were triable issues of fact as to whether Aerojet fraudulently induced the government to enter into contracts by materially misrepresenting its cybersecurity compliance, including questions as to the materiality of the cybersecurity requirements and the falsity of Aerojet’s compliance claims. The court’s decision seems to be heavily influenced by a rare Statement of Interest filed by the government, which declined to litigate the case itself but filed a brief opposing many of Aerojet’s key arguments.
Aerojet argued that the relator’s fraudulent inducement claims failed on the element of falsity because the company did not make any false statements to the government. Aerojet does not dispute that it was not in compliance with the relevant DFARS and NASA FARS requirements, but instead observed that it repeatedly disclosed that it was not in compliance with requirements to the government and even worked with the agencies to obtain a waiver of the requirements. Both the relator and the government argued those disclosures were inadequate and misleading and thus still false. For example, while a 2014 audit found that Aerojet was compliant with only 5 of 59 DFARS requirements, Aerojet provided a compliance matrix stating that it was compliant with 10 of 59 requirements. The company also purportedly failed to disclose certain breaches and leaks that the court noted might have been material to the government’s award decision.
Perhaps more troublesome as a matter of general applicability, the court also pointed to language in DFARS 252.204-7012 stating that contractors must meet an undefined requirement to have “adequate security” and that the listed control requirements represent only a “minimum” standard of compliance. According to the court, the fact that an audit firm identified several high, moderate, and low risk deficiencies in Aerojet’s systems and was able to penetrate the company’s network within four hours might lead a reasonable trier of fact to find that Aerojet did not meet the “adequate security” requirement.
Departing from the D.C. Circuit’s recent decision in United States ex rel. Adams v. Dell Computer Corp. (discussed in our blog post), the court also rejected Aerojet’s arguments that the cybersecurity requirements were not material. The company pointed to the Supreme Court’s holding in Escobar that “if the Government regularly pays a particular type of claim in full despite actual knowledge that certain requirements were violated, and has signaled no change in position, that is strong evidence that the requirements are not material,” and cited to several instances in which the government awarded contracts to other contractors not in compliance with the relevant cybersecurity regulation. Siding with the government, the court rejected those arguments, finding that Aerojet failed to provide sufficient information about those instances, including the level of the noncompliance at issue in those awards.
Finally, the court denied the cross-motions for summary judgment as to the amount of damages. The relator argued that damages amounted to a multiple of the entire value of the contracts at issue, or $19 billion, while Aerojet argued that the government suffered no damages at all because it received the rockets included in the contract. Seemingly sympathetic to the government’s argument that it “did not just contract for rocket engines, but also contracted with [Aerojet] to store the government’s technical data on a computer system that met certain cybersecurity requirements,” the court found that neither theory of damages was correct as a matter of law: “In essence, relator would have the court find as a matter of law that what the government received under the contracts had no economic value whatsoever, whereas defendants would have the court find that the government received the full economic value of goods and services [that Aerojet] was contracted to provide. Neither of these propositions is supported by the record before the court at this time. The amount of statutory or actual damages, if any, to which relator would be entitled is for the trier of fact to determine and cannot be adjudicated on summary judgment.”
The Aerojet litigation highlights the increasing False Claims Act risk that federal contractors face related to cybersecurity concerns. The government has demonstrated its intent to aggressively pursue claims under the Civil Cyber-Fraud Initiative, and contractors must heed the government’s warnings about maintaining a strong cybersecurity program in order to avoid becoming the next target.