District Court confirms that noncompliance with cybersecurity requirements may lead to False Claims Act liability
As we have previously noted, the federal government has increased its focus on identifying fraud related to the cybersecurity obligations of government contractors. A recent district court decision may support this government initiative, as the court held that a contractor’s knowing failure to disclose gaps in its cybersecurity compliance could lead to liability under the False Claims Act.
In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., the US District Court for the Eastern District of California evaluated a relator’s claim that a contractor fraudulently induced the government to award seven contracts by making false statements about the contractor’s compliance with the cybersecurity requirements delineated in Defense Federal Acquisition Regulation Supplement 252.204-7012 and NASA Federal Acquisition Regulation Supplement 1852.204-76. The contractor argued that it had not made false statements because it had disclosed to the government that it was not fully compliant with those clauses.
The district court concluded that, on summary judgment, it could not determine whether the cybersecurity requirements were “material” under the False Claims Act. It stated that, although the contractor had disclosed some information regarding noncompliance with the cybersecurity requirements to the government, the extent of the disclosures was unclear, and the government may not have had the “full picture” of the contractor’s noncompliance. The district court further stated that it “may be reasonably inferred that compliance was significant to the government because without complete knowledge about compliance, or noncompliance, with the clauses, the government cannot adequately protect its information.”
In addition to suggesting that cybersecurity obligations in a contract may be “material,” the court provided guidance on the potential recovery in such cases. The relator requested damages equal to three times the entire value of the seven contracts at issue, as, according to the relator, the contractor’s performance had no economic value due to the fraud. The contractor, on the other hand, asserted that the government did not suffer any damages because it received the “full economic value” of the contractor’s performance.
The district court determined that neither position was supported by the record and that the amount of damages, if any, would need to be determined by the trier of fact. The court’s rejection of the relator’s claim that damages should equal the full value of the contracts is consistent with the benefit-of-the-bargain rule applied by most courts; that rule calculates damages as the difference between the value that the government received and the amount that it paid.
The district court’s decision reinforces that knowing noncompliance with standard cybersecurity provisions may be sufficient for purposes of establishing liability under the False Claims Act. The decision also indicates that, even if an agency knows of a contractor’s noncompliance with certain cybersecurity requirements, False Claims Act liability may still be possible if the agency does not know the full extent of the noncompliance. Thus, contractors are encouraged to closely scrutinize their cybersecurity obligations and consider an open exchange of information with the government about potential areas of noncompliance.
We will continue to monitor developments in this area. If you have any questions, please contact the authors or your DLA Piper relationship attorney.