On April 26, the trial will begin at United States ex rel. Markus vs. Aerojet Rocketdyne Inc.where reporter Brian Markus, former senior director of cybersecurity at Aerojet, alleges that the company violated the False Claims Act (FCA) by concealing cybersecurity issues from the government.
When the Justice Department declined to intervene in 2018, few would have predicted that Markus’ case would become an indicator of a government initiative. But the Biden administration then prioritized cybersecurity, and the new DOJ civil initiative against cyberfraud will pursue FCA theories that resemble Markus’ case and allegations.
This lawsuit in the U.S. District Court for the Eastern District of California could establish a blueprint for the new DOJ initiative or identify potential roadblocks.
DOJ Civilian Cyber Fraud Initiative
In May 2021, a ransomware attack shut down a US pipeline system for six days. Federal and state governments have had to take emergency measures to maintain fuel supplies to parts of the country. After the attack, President Biden issued a Executive Decree lead improvements to cybersecurity infrastructure, including systems operated by government contractors. The order directed the federal government to “use the full extent of its powers” to protect cybersecurity.
In October, the DOJ launched the Civil Cyber Fraud Initiative, pledging to “hold accountable” anyone “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting its cybersecurity practices or protocols, or knowingly violating monitor and report cybersecurity incidents and breaches. ”
The ministry has identifiedthree common cybersecurity failures who are prime candidates for potential application of the False Claims Act”: (1) “know about breaches of cybersecurity standards” established by federal agencies; (2) “knowing of misrepresentation of security controls,” such as “a contractor’s practices for monitoring its systems for breaches, or password and access requirements”; and (3) “failing to report suspected violations in a timely manner”.
Potential issues facing cyber fraud cases under the FCA
The prosecution of whistleblowers under the initiative will raise new issues. Most government contractors provide goods or services other than cybersecurity. While cybersecurity is undoubtedly important, federal agencies must balance it against their need to obtain the relevant goods and services, just as individuals balance their own desire for cybersecurity with the necessities of life online.
These practical realities will complicate efforts to prove that cybersecurity misrepresentations are “material” to payment decisions and cause immediate government losses.
Any undisclosed legal or regulatory violations are immaterial, as the U.S. Supreme Court made clear in United Health Services v. United States ex rel. Escobar. Describing the FCA’s materiality requirement as “rigorous”, the court explained that even a knowing breach will not attract FCA liability unless it affects whether an agency will pay a claim.
If the agency has a history of paying claims despite knowledge of similar violations, the requirement is probably not important. The DOJ will therefore have to prove that violations of cybersecurity requirements would likely affect whether an agency would pay the corresponding claim. This can be complicated, especially when the government is paying for a specialized good or service that it cannot easily obtain.
The DOJ may also have difficulty proving damages suffered by an agency “due to” a cybersecurity breach. Most circuits require proof of both no-causation and immediate causation. It is therefore unlikely that a cybersecurity breach would allow the DOJ to recover everything an agency paid under a contract.
Determining what damage is closely caused by a cybersecurity breach can be tricky. Such violations do not necessarily reduce the value of the good or service the government receives. Instead, they impose an unwanted risk. The damages suffered by the government “due to” this risk can be difficult to estimate and may depend on the extent to which the risk materializes.
Watch the Aerojet Rocketdyne trial
the Aerojet Rocketdyne essay will provide a first test of how the FCA applies to cybersecurity fraud allegations.
Aerojet Rocketdyne develops missile defense and space launch systems. Markus alleges the company fraudulently concealed its failure to comply with regulations requiring defense contractors to implement cybersecurity measures and disclose known threats.
While the court found that Aerojet disclosed certain cybersecurity issues, it identified significant factual disputes over whether the company disclosed past data breaches that had not been fully remedied and were continuing to occur. disclose data. The court also cited alleged discrepancies between the number of cybersecurity issues identified by external audits and those disclosed to the government.
Despite overcoming summary judgment, Markus still faces many hurdles at trial. Among other defenses, Aerojet argues that its government contracts focus on the supply of aerospace or research equipment, so failure to comply with cybersecurity regulations was neither material to the company’s decision-making. agency or a cause of injury.
Aerojet says it has evidence that the DOJ knew many government contractors, including Aerojet, were struggling to comply. Despite this knowledge, the department of Defense would never have canceled a contract, refused payment, or requested a refund due to cybersecurity concerns. If credited, this evidence could prove fatal to Markus’ case on both materiality and causation.
Ultimately, the DOJ has many investigative and litigation resources that private relations do not have. The Civilian Cyber Fraud Initiative will leverage these resources and will also benefit from the increased focus that President Biden’s executive order has placed on cybersecurity.
But Markus’ case highlights potential obstacles to the DOJ’s efforts to use the FCA to police cybersecurity. Since the FCA focuses on monetary transactions, its invocation requires the DOJ to convince courts and jurors that cybersecurity is not only important, but also what the government pays for.
This article does not necessarily reflect the views of the Bureau of National Affairs, Inc., publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Caleb Hayes-Deats is a partner at MoloLamken LLP where he represents companies and individuals in False Claims Act and other types of whistleblower litigation. Previously, he served as an Assistant United States Attorney for the Southern District of New York.