On July 8, 2022, the Department of Justice (“DOJ”) announced in a press release that Aerojet Rocketdyne Inc, a provider of advanced propulsion and energetics systems for multiple government agencies, reached a settlement agreeing to pay $9 million against allegations that Aerojet violated the Federal False Claims Act (“FCA”) by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts.
Against the backdrop of the Civil Cyber-Fraud Initiative announced by the DOJ on October 6, 2021, this settlement underscores the DOJ’s commitment to FCA enforcement actions pertaining to cybersecurity. Notably, it also serves to highlight that plaintiffs’ qui tam or whistleblower provision of the FCA is effective in assisting the government to identify and pursue potentially fraudulent cybersecurity conduct.1
In light of the settlement, the breadth of qui tam enforcement and the increased regulatory scrutiny and civil cyber-fraud initiatives, companies providing services to the federal government should assess and potentially bolster their cybersecurity compliance efforts, ensuring that all disclosures pertaining to the company’s cybersecurity infrastructure and protections are accurate and complete.
To learn more about the DOJ’s Civil-Cyber Fraud Initiative, please review our client alert on this topic.
The Aerojet Settlement
Government contracts are subject to the Defense Federal Acquisition Regulations (“DFARS”) which safeguards unclassified “controlled technical information” or information with military or space application that is subject to access and use controls from cybersecurity threats. Similarly, contractors awarded contracts from NASA must comply with relevant NASA Federal Acquisition Regulations (“NFARS”). The NFARS impose requirements on defense contractors and sub-contractors to protect the confidentiality, integrity and availability of information from unauthorized disclosure.
In this case, Brian Markus (“relator”) was employed by Aerojet as the senior director for Cyber Security, Compliance & Controls from June 2014 to September 2015. In July 2015, relator refused to sign documents indicating that Aerojet was compliant with the cybersecurity requirements; he contacted the company’s ethics hotline, and filed an internal report. Relator was terminated shortly thereafter on September 14, 2015.
In the complaint, relator alleged that Aerojet failed to comply with the DFARS and NFARS clauses, which require the protection of controlled unclassified information and other sensitive information. Relator’s complaint also alleges that Aerojet made false statements regarding Aerojet's cybersecurity status by not disclosing the full extent of Aerojet's noncompliance with the DFARS and NASA FARS clauses. Relator argues any disclosures to DoD agencies “softened,” the state of Aerojet’s noncompliance or were cherrypicked, which resulted in omissions of information that the government would want to know to make assessment about the safety of its information. In a ruling in May 2019, the Eastern District of California court held that “accepting these allegations as true, the government may not have awarded these contracts if it knew the full extent of the company’s noncompliance, because how close [Aerojet] was to full compliance was a factor in the government’s decision to enter into some contracts.”2
On July 5, 2022, Judge Shubb of the US District Court of the Eastern District of California dismissed the FCA claims, granted the FCA settlement and dismissed any employment related claims with prejudice.
To stay updated with additional cybersecurity updates, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.
1 Under the qui tam provision of the FCA, a person and entity with evidence of fraud against federal programs can sue the wrongdoer on behalf of the United States Government. The government has the right to intervene and join the action or can decline intervention. Here, the government declined intervention.