Cybersecurity False Claims Act Cases: The Next Frontier

All this changed in 2011 when the Department of Defense (DoD) first proposed to regulate the safeguarding of unclassified but sensitive national security or privacy information that must be safeguarded from hacking. Specifically, DoD proposed adding a new subpart to the Defense FAR Supplement (DFARS) to require contractors and subcontractors to safeguard unclassified DoD information resident on or passing through their computer systems, and to promptly report all cybersecurity incidents. The regulations in DFARS Subpart 204.73: Safeguarding Covered Defense Information and Cyber Incident Reporting, and the clauses first issued under this subpart, have now expanded to cover "controlled unclassified information" in both a contractor's facilities and in the cloud, and to incorporate by reference the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

In 2016 the government added an omnibus cybersecurity clause to the FAR to cover cybersecurity in civilian agency contracts. Newly added FAR Subpart 4.19: Basic Safeguarding of Covered Contractor Information Systems requires agencies to include FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems (June 2016), in contracts (other than those of commercially available off-the-shelf items) that involve sensitive federal information. Among other obligations, the clause requires a contractor to limit access to authorized users, control and limit connections to external systems, limit physical access to systems, implement subnetworks for publicly accessible systems, update malicious code protection and perform real time scans of external files. Taken from NIST SP 800-171, these are all best practices, but not all companies have these policies in place, actually implement the policies that are in place, or monitor and audit the implementation and use of those policies.

The False Claims Act, 31 U.S.C. §3729-33, allows private citizens to sue a company that contracts with the federal government on the basis that the contractor billed the government despite its alleged non-compliance with material contractual requirements. Often the plaintiff asserts that the contractor has misrepresented and wrongly certified its compliance with its contractual obligations, thus perpetrating a fraud on the government. If successful, the private citizen — called the qui tam relator — can collect a hefty percentage of whatever damages and fines the government recovers from the contractor.

The relator, sometimes a disgruntled ex-employee or competitor, files an FCA complaint under seal unbeknownst to the contractor. The Department of Justice (DOJ) then investigates the complaint, often starting with subpoenas to the contractor who usually doesn't know what is going on or if they are even the target of the investigation. It often takes one to two years for DOJ to complete its investigation. At this point, the complaint is unsealed, and DOJ decides whether to intervene and lead the case, or to pass and let the qui tam relator continue to prosecute the case on his or her own. In either case the government gets the bulk of any recovery and the qui tam relator gets a share. The relator's share is larger if he is forced to prosecute the case without DOJ's help.

Among other elements of an FCA case, the plaintiff must prove that the defendant contractor's non-compliance was (or would have been) material to the government's decision to pay the contractor's invoices for the goods or services rendered. Universal Health Services, Inc. v. United States ex rel. Escobar, 136 S.Ct. 1989 (2016). While lack of materiality can be a strong defense in certain cases, it would not be surprising to see cybersecurity non-compliance treated as a material factor to the government's payment decision That is, had the government known a contractor was not complying with a contract's cybersecurity requirements, the agency almost assuredly would not have agreed to pay the contractor.

The FAR and DFARS cybersecurity clauses are relatively new, still evolving, and somewhat confusing. It is not yet known how the courts will treat cybersecurity violations in practice in FCA cases.

In May 2019, a federal district court refused to dismiss an FCA case brought by an ex-employee based on a government contractor's alleged failure to comply with its contractual cybersecurity obligations. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 (E.D.Ca.). While DOJ declined to join the case, the defendant contractor will now be forced to respond to the plaintiff's discovery requests for emails and documents. To avoid the substantial costs of litigation and a possible trial, the defendant contractor may be inclined to settle the case just to get out of costly litigation and move forward.

In July 2019, Cisco Systems agreed to pay $8.6 million to settle an FCA case filed by a qui tam whistleblower based on cybersecurity vulnerabilities in video surveillance systems sold to federal and state governments. U.S. et al. ex rel. Glenn v. Cisco Systems, Inc., No. 1:11-cv-0400 (W.D. NY). Not only did DOJ intervene in the case, but so too did 15 state governments under their respective false claims statutes. The federal government, state governments and the plaintiff — an ex-employee — will all share in the recovery.

To avoid cybersecurity liability under the FCA will require — in addition to executive buy-in — organization, attention to detail and discipline. It will require a contractor not only to commit to establishing and implementing cybersecurity best practices, but to monitoring the implementation of those practices on an on-going basis. Most vulnerable will be commercial item government contractors who are not fully aware of the cybersecurity regulations or of the dangers resulting from non-compliance.

Conclusion

With the hacking of private and government systems constantly in the press, cybersecurity is obviously of growing importance. This, combined with the federal government's fortified cybersecurity contractual requirements, will almost certainly lead to a new wave of cybersecurity FCA cases in the months and years ahead.

*****

Andrew Mohr is a Partner with Morris, Manning & Martin, LLP's Government Contracts practice in Washington, DC. He has over three decades of experience that spans the entire range of federal, state and local government contract formation and administration. He can be reached at [email protected]. C. Kelly Kroll is Of Counsel at Morris, Manning & Martin, LLP's Government Contracts practice in Washington, DC. She has extensive experience with federal, state and local government contract formation and administration, assisting clients in every stage of the government procurement process, from analysis of the risks associated with entering the market to the issues arising during the solicitation, award, performance and close out of government contracts. She can be reached at [email protected].