Settlement Highlights Challenges of Using False Claims Act for Cybersecurity Compliance

U.S. Deputy Attorney General Lisa Monaco, right, speaks during a press conference with Attorney General Merrick Garland and other law enforcement officials at the Robert F. Kennedy Main Justice Building on November 8 2021 in Washington. A civil settlement could boost DoJ efforts to prosecute or fine contractors for cybersecurity violations, but experts say the victory is partial at best. (Photo by Chip Somodevilla/Getty Images)

Details of a long-awaited civil lawsuit conclusion could bolster the government’s position that it can leverage a 150-year-old law to prosecute companies that fail to comply with cybersecurity regulations set out in the federal contracts. However, some federal and legal experts say the victory should be seen as partial at best, noting that more aggressive efforts to use the False Claims Act on a large scale to influence contractor behavior will likely require additional lengthy and costly battles before the courts. courts.

In May, a lawsuit against aerospace and defense supplier Aerojet Rocketdyne filed under the False Claims Act was settled two days after its trial. Court documents last week revealed key details of the settlement, with the company agreeing to pay a $9 million fine, including $2.61 million to Brian Marcus, the former employee who filed the lawsuit on behalf of of the government. The civil case, first presented in 2015, was primarily based on allegations that the company had obtained billions of dollars in federal contracts from the Department of Defense and NASA while fraudulently claiming that it was complying with the federal cybersecurity procurement regulations.

Kellen Dwyer, a former assistant deputy attorney general at the Department of Justice, told SC Media that the case and the settlement are good news for the government, which strengthens the legal basis for using the False Claims Act to prosecute contractor cybersecurity malfeasance in the future.

“I think it’s a victory for the government side in the sense that the case has gone to trial. Letting it go to trial, the judge decides that the theory they were bringing – that you can have an FCA claim based on insufficient compliance with cybersecurity requirements in a federal contract – is a valid theory and it’s the one ‘a court will let it go before and eventually go to a jury,’ said Dwyer, who led the government’s criminal hacking cases against Wikileaks founder Julian Assange and Russian cybercriminal Aleksey Burkov as assistant US attorney for the Eastern District of Virginia.

Testing Civil War-era law to enforce cybersecurity compliance in federal contracts?

Last year, the Justice Department announced a major move to build on the False Claims Act – a law originally passed during the Civil War to combat rampant fraud by unscrupulous contractors providing l Union Army – to sue contractors who misrepresent their compliance with cybersecurity regulations. in federal contracts.

This is a new legal argument. Although the government is not pursuing the case against Aerojet Rocketdyne, it has submitted a statement of interest in the case, and observers see this as a test for the DoJ’s broader stance on the use of the False Claims Act. In announcing the effort last year, Assistant Attorney General Lisa Monaco referred to the False Claims Act as “the primary civil tool for redressing false claims of federal funds and property involving government programs and operations.” .

“Where those entrusted with government money, who are tasked with working on sensitive government systems, fail to meet required cybersecurity standards, we will prosecute that behavior and extract… very heavy fines “, said Monaco.

Although Dwyer said he believed the resolution ultimately strengthened the government’s case, it was only a partial victory as it did not result in a trial or a final ruling in favor of the government, and because it didn’t address “the aspirational nature of some of these cybersecurity compliance issues.” programs” and how they will be treated by the courts in future cases.

Part of the defense put forward by Aerojet Rocketdyne’s lawyers when they tried to have the case thrown out was that the government had known for years that they and other contractors were not fully complying with the FAR cybersecurity regulations, yet have historically failed to bring such claims or deny payment on this basis in the past.

While a judge cleared the case to go to a jury and the settlement requires Aerojet Rocketdyne to pay the government $9 million, the settlement also includes a statement that the company denies any wrongdoing, which blurs the picture around his full legal culpability under the false allegations. Law.

“Relator agrees that this…is a compromise settlement of the disputed claims and shall not be considered or construed at any time or for any purpose as an admission of fact or liability by defendants for any violation of Relator’s rights. or any breach of contract or statute or common law, or any wrongdoing of any kind,” the settlement reads.

A spokesperson for Aerojet Rocketdyne acknowledged SC Media’s request but declined to comment on the settlement.

Dwyer said future cases pursued under the same legal theory by the DoJ must go further by demonstrating that the government views cybersecurity noncompliance as a serious breach of contract.

“I think that in the future, if the government intends to use the misrepresentation law to enforce these claims to enforce cybersecurity provisions in federal contracts, it will have to indicate more clearly that it is something that is material and something that they are. expecting to be respected, otherwise they won’t pay,” he said. “I think they can… do more to create the case that it is something with the language in the contract and [relates to] how they behave throughout the life of the contract to make it clear that cybersecurity is a material provision, which culturally perhaps wasn’t 10 years ago.

Robert Metzger, an attorney and defense contract expert, noted that the monetary penalties are “significant,” particularly because the company had to foot the bill for some of the parent’s legal costs, but still “less than that.” what I expected” given the allegations and the time spent by the parties in court. The terms of the settlement signal to him that the Department of Justice’s civil cyber-fraud initiative may have a tough road to travel leveraging the False Claims Act on a massive scale.

“Given the length of the proceedings, whistleblowers and their ‘kin’ attorney, and even the Department of Justice, should temper their enthusiasm for using the False Claims Act as a weapon to ‘police’ cyber compliance. entrepreneurs,” Metzger wrote in a LinkedIn post last week. “As I said before, FCA cases are difficult to bring and expensive to prosecute. There has been a payback here [for the whistleblower and counsel] but that was a long time coming and it took a tough and tough fight.

Comments are closed.