Aerojet Rocketdyne Agrees to Pay $9 Million to Resolve False Claims Act Allegations of Cybersecurity Violations in Federal Government Contracts

Aerojet Rocketdyne Agrees to Pay $9 Million to Resolve False Claims Act Allegations of Cybersecurity Violations in Federal Government Contracts

Blog WilmerHale Privacy and Cybersecurity Law

On July 8, 2022, the Department of Justice (“DOJ”) announced in a press release that Aerojet Rocketdyne Inc, a provider of advanced propulsion and energetics systems for multiple government agencies, reached a settlement agreeing to pay $9 million against allegations that Aerojet violated the Federal False Claims Act (“FCA”) by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts.

Against the backdrop of the Civil Cyber-Fraud Initiative announced by the DOJ on October 6, 2021, this settlement underscores the DOJ’s commitment to FCA enforcement actions pertaining to cybersecurity. Notably, it also serves to highlight that plaintiffs’ qui tam or whistleblower provision of the FCA is effective in assisting the government to identify and pursue potentially fraudulent cybersecurity conduct.1

In light of the settlement, the breadth of qui tam enforcement and the increased regulatory scrutiny and civil cyber-fraud initiatives, companies providing services to the federal government should assess and potentially bolster their cybersecurity compliance efforts, ensuring that all disclosures pertaining to the company’s cybersecurity infrastructure and protections are accurate and complete.

To learn more about the DOJ’s Civil-Cyber Fraud Initiative, please review our client alert on this topic.

The Aerojet Settlement

Government contracts are subject to the Defense Federal Acquisition Regulations (“DFARS”) which safeguards unclassified “controlled technical information” or information with military or space application that is subject to access and use controls from cybersecurity threats. Similarly, contractors awarded contracts from NASA must comply with relevant NASA Federal Acquisition Regulations (“NFARS”). The NFARS impose requirements on defense contractors and sub-contractors to protect the confidentiality, integrity and availability of information from unauthorized disclosure.

In this case, Brian Markus (“relator”) was employed by Aerojet as the senior director for Cyber Security, Compliance & Controls from June 2014 to September 2015. In July 2015, relator refused to sign documents indicating that Aerojet was compliant with the cybersecurity requirements; he contacted the company’s ethics hotline, and filed an internal report. Relator was terminated shortly thereafter on September 14, 2015.

In the complaint, relator alleged that Aerojet failed to comply with the DFARS and NFARS clauses, which require the protection of controlled unclassified information and other sensitive information. Relator’s complaint also alleges that Aerojet made false statements regarding Aerojet's cybersecurity status by not disclosing the full extent of Aerojet's noncompliance with the DFARS and NASA FARS clauses. Relator argues any disclosures to DoD agencies “softened,” the state of Aerojet’s noncompliance or were cherrypicked, which resulted in omissions of information that the government would want to know to make assessment about the safety of its information. In a ruling in May 2019, the Eastern District of California court held that “accepting these allegations as true, the government may not have awarded these contracts if it knew the full extent of the company’s noncompliance, because how close [Aerojet] was to full  compliance was a factor in the government’s decision to enter into some contracts.”2

On July 5, 2022, Judge Shubb of the US District Court of the Eastern District of California dismissed the FCA claims, granted the FCA settlement and dismissed any employment related claims with prejudice.

To stay updated with additional cybersecurity updates, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.


Under the qui tam provision of the FCA, a person and entity with evidence of fraud against federal programs can sue the wrongdoer on behalf of the United States Government. The government has the right to intervene and join the action or can decline intervention. Here, the government declined intervention.

https://www.govinfo.gov/content/pkg/USCOURTS-caed-2_15-cv-02245/pdf/USCOURTS-caed-2_15-cv-02245-5.pdf.

Authors

More from this series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.