Cybersecurity litigation for contractors is on the rise – takeaways from recent cases
As the government increases its focus on cybersecurity obligations for contractors, litigation related to these issues is becoming more prevalent. Already in the first half of 2022, there have been important False Claims Act settlements and bid protests addressing these issues, and we anticipate that this trend will continue.
Last month, the Department of Defense (DoD) issued a memorandum reminding DoD officials of their audit rights regarding cybersecurity compliance and highlighting potential remedies in the event a contractor breaches its obligations, including “withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.” Thus, it is important for contractors to understand the cybersecurity obligations in their solicitations and contracts and have a plan for demonstrating compliance.
This alert highlights several recent cases that may inform that planning.
False Claims Act
As we have described in previous alerts, a contractor’s knowing failure to comply with material cybersecurity requirements could expose the contractor to liability under the False Claims Act. The recent Aerojet Rocketdyne settlement from April 2022, further detailed in a press release issued by the Department of Justice last week, illustrates that risk.
The Aerojet action was originally filed by Aerojet’s Senior Director for Cybersecurity. He alleged that Aerojet fraudulently induced the government to contract with the aerospace company by not disclosing the full extent of Aerojet’s non-compliance with the applicable Defense Federal Acquisition Regulation Supplement (DFARS) and National Aeronautics and Space Administration (NASA) cybersecurity requirements and sought $19 billion in damages.
Although the evidence demonstrated that Aerojet communicated with the government about its non-compliance (including seeking a waiver of certain requirements), in its decision denying summary judgment, the court found that “a genuine dispute of material fact exists as to the sufficiency of the disclosures” related to cyber breaches experienced by the company and information gathered from cyber audits conducted by outside firms.
The court also held that additional information was necessary to determine whether the government deemed these requirements material to contract award. Aerojet paid $9 million to settle the case (of which $2.61 was paid to the whistleblower), notwithstanding that, according to Aerojet’s filings in the case, the government received the entire economic value of the contracts at issue.
The first half of 2022 also included the first cyber-related settlement arising out of the Department of Justice’s Civil-Cyber Fraud Initiative. In March 2022, medical services contractor Comprehensive Health Services LLC paid $930,000 to settle allegations that it violated the 0 Claims Act by failing to store confidential medical records on a secure electronic medical record system, as it was contractually required to do. In the settlement announcement, the Principal Deputy Assistant Attorney General stated that the settlement “demonstrate[d] the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards.”
The government’s public statements and initiatives regarding cybersecurity, as well as the increased prevalence of cybersecurity requirements in contracts, suggest that the Aerojet and Comprehensive Health cases are likely just the first of many cybersecurity-related actions to be initiated by the government and whistleblowers in the future.
Cybersecurity requirements are also increasingly relevant in the context of bid protests. In its March 2022 decision in American Roll-On Roll-Off Carrier Group, the US Government Accountability Office (GAO) denied a protest that alleged that the awardee misrepresented its cybersecurity compliance when it listed its Federal Risk and Authorization Management Procurement (FedRAMP) authorization level as “high” when it should have been “medium.”
Although GAO denied the protest, it evaluated the merits of the allegations. Specifically, the GAO considered publicly available information and a declaration from the awardee’s subcontractor in concluding that the awardee did not misrepresent its authorization level. The agency’s award decision is currently being challenged at the US Court of Federal Claims, and the Court will likely address the FedRAMP allegations in its merits decision that should be issued later this year.
GAO has considered other protests involving cybersecurity-related challenges on their merits. Most recently, GAO reviewed a protest alleging that the awardee failed to report a gap assessment score in the DoD Supplier Performance Risk System (SPRS) as required by DFARS 252.204-7019 and DFARS 252.204-7020. GAO concluded that the protest had merit but, nevertheless denied the protest because the protestor failed to establish prejudice. Similarly, in 2021, GAO denied a protest challenging a sole-source award when the protestor could not demonstrate that its solution had the required FedRAMP authorization, which was a mandatory minimum requirement for the procurement.
Although the protests discussed above were all denied, the decisions demonstrate that an awardee’s inability to meet applicable cybersecurity requirements could form the basis for a meritorious bid protest. The likelihood of cybersecurity-related protests will increase as agencies more frequently include cybersecurity requirements in solicitations as mandatory requirements and evaluation criteria.
Although we did not identify any noteworthy cases involving cybersecurity-related claims brought under the Contract Disputes Act from the first half of 2022, such claims remain a potential issue for government contractors. As noted above, DoD has expressly instructed procurement officials that a failure to comply with cybersecurity requirements could justify a breach-of-contract claim or provide a basis for termination for cause.
The recent litigation related to cybersecurity compliance demonstrates the increasing need for contractors to be vigilant in their review of solicitation requirements and in the representations they make in proposals regarding cybersecurity compliance.
We will continue to monitor developments in this area. If you have any questions, please contact the authors or your DLA Piper relationship attorney.
 “Cybersecurity obligations for government contractors – focus on them before the government focuses on you,” September 22, 2021 and “With Civil Cyber-Fraud Initiative, government sharpens focus on cybersecurity obligations for government contractors,” November 1, 2021
 B- 418266.9, 2022 WL 1091409 (Comp. Gen. Mar. 3, 2022).