On July 8, 2022, the Department of Justice announced that Aerojet Rocketdyne Inc.—a government contractor providing propulsion and power systems for launch vehicles, missiles and satellites and other space vehicles to the Department of Defense, NASA, and other federal agencies—agreed to pay $9 Million to resolve allegations that the company violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts.  This is one of the first documented cases (which PilieroMazza attorneys discussed in a 2019 podcast) where a failure to meet cybersecurity requirements alleged by a whistleblower led to an FCA settlement. Government contractors, particularly those working with the Department of Defense, should pay close attention to these settlements and ensure their cybersecurity compliance requirements are in place to avoid hefty financial penalties.

Background

The settlement resolves a lawsuit filed in 2015 and litigated by former Aerojet employee Brian Markus against Aerojet under the qui tam or whistleblower provisions of the FCA, which permit a private party (known as a relator) to file a lawsuit on behalf of the United States and receive a portion of any recovery. Mr. Markus and Aerojet reached a settlement of the case on the second day of trial. Mr. Markus will receive $2.61 million as his share of the $9 Million recovery.

The settlement bolsters DOJ’s Civil Cyber-Fraud Initiative, announced in October 2021, which aims to hold accountable entities or individuals that:

1. put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services,
2. knowingly misrepresenting their cybersecurity practices or protocols, or
3. knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

That the Aerojet case could proceed to trial despite multiple requests for dismissal from Aerojet offers some support for the foundational premise of the initiative:  cybersecurity noncompliance can lead to FCA liability.

What Should Contractors Do?

Be proactive. If your company does not have a solid cybersecurity and data privacy policy, implement one at your earliest convenience to protect your company (and your contract) from potential whistleblowers and possible enforcement from DOJ’s Civil Cyber-Fraud Initiative. If you already have a policy in place, have it reviewed annually to ensure it complies with all the provisions of the FCA and the specific provisions of your contract. Having a policy is not just a compliance requirement for businesses working with the federal government, but it’s a valuable tool in helping you bid for, win, and maintain future contracts.