Published on April 22nd, 2022 📆 | 2293 Views ⚑
0Aerojet Rocketdyne Cybersecurity Trial Could Be DOJ Bellweather
On April 26, trial will begin in United States ex rel. Markus v. Aerojet Rocketdyne Inc., where relator Brian Markus, Aerojetâs former senior director of cybersecurity, alleges the company violated the False Claims Act (FCA) by concealing cybersecurity problems from the government.
When the Department of Justice declined to intervene in 2018, few would have predicted that Markusâ case would become a bellwether for a government initiative. But the Biden administration subsequently prioritized cybersecurity, and the DOJâs new civil cyber-fraud initiative will pursue FCA theories that resemble Markusâ case and allegations.
This trial in the U.S. District Court for the Eastern District of California could thus establish a blueprint for the DOJâs new initiativeâor identify potential obstacles.
DOJâs Civil Cyber-Fraud Initiative
In May 2021, a ransomware attack shut down an American oil pipeline system for six days. Federal and state governments had to take emergency measures to maintain the fuel supply to certain parts of the country. After the attack, President Biden issued an executive order directing improvements to cybersecurity infrastructure, including systems operated by government contractors. The order directed the federal government to âbring to bear the full scope of its authoritiesâ to protect cybersecurity.
In October, the DOJ launched the civil cyber-fraud initiative, vowing to âhold accountableâ anyone âknowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.â
The department identified âthree common cybersecurity failures that are prime candidates for potential False Claims Act Enforcementâ: (1) âknowing failures to comply with cybersecurity standardsâ set by federal agencies; (2) âknowing misrepresentation of security controls,â such as a contractorâs âpractices for monitoring its systems for breaches, or password and access requirementsâ; and (3) âknowing failure to timely report suspected breaches.â
Potential Issues Facing Cyber-Fraud Cases Under the FCA
Whistleblower lawsuits under the initiative will raise novel issues. Most government contractors provide goods or services other than cybersecurity. While cybersecurity is undoubtedly important, federal agencies must weigh it against their need to obtain the relevant goods and servicesâmuch as private individuals balance their own desire for cybersecurity against the necessities of online life.
Those practical realities will complicate efforts to prove that false claims about cybersecurity are âmaterialâ to payment decisions and proximately cause government losses.
Not every undisclosed statutory or regulatory violation is material, as the U.S. Supreme Court made clear in United Health Services v. United States ex rel. Escobar. Describing the FCAâs materiality requirement as ârigorous,â the court explained that even a knowing violation will not give rise to FCA liability unless it affects whether an agency will pay a claim.
If the agency has a history of paying claims despite knowing of similar infractions, the requirement likely is not material. DOJ will thus have to prove that violations of cybersecurity requirements would likely impact whether an agency would pay the relevant claim. That may prove complicated, particularly where the government pays for a specialized good or a service that it cannot easily obtain.
The DOJ may also have difficulty proving what damages an agency suffers âbecause ofâ a cybersecurity violation. Most circuits require proof of both but-for and proximate causation. A cybersecurity violation is thus unlikely to permit the DOJ to recover everything an agency paid under a contract.
Determining what damages are proximately caused by a cybersecurity violation may prove thorny. Such violations do not necessarily reduce the value of the good or service the government receives. Instead, they impose an unwanted risk. The damage the government suffers âbecause ofâ that risk can be difficult to estimate and may depend on the degree to which the risk materializes.
Watching the Aerojet Rocketdyne Trial
The Aerojet Rocketdyne trial will provide an early test of how the FCA applies to allegations of cybersecurity fraud.
Aerojet Rocketdyne develops missile-defense and space-launch systems. Markus alleges that the company fraudulently concealed its failure to comply with regulations requiring defense contractors to implement cybersecurity measures and disclose known threats.
Although the court found Aerojet had disclosed some issues with its cybersecurity, it identified material disputes of fact concerning whether the company had revealed that prior data breaches had not been fully redressed and continued to leak data. The court also cited purported discrepancies between the number of cybersecurity issues identified by outside audits and those disclosed to the government.
Despite overcoming summary judgment, Markus still faces many obstacles at trial. Among other defenses, Aerojet argues that its government contracts focus on providing aerospace equipment or research, such that noncompliance with cybersecurity regulations was neither material to agency decision-making nor a cause of any injury.
Aerojet claims to have evidence that the DOJ knew that many government contractors, including Aerojet, struggled to comply. Despite that knowledge, the Department of Defense supposedly never canceled any contracts, denied payment, or requested reimbursement based on cybersecurity issues. If credited, that evidence could prove fatal to Markusâs case on both materiality and causation.
Ultimately, the DOJ has many investigative and litigative resources that private relators do not. The civil cyber-fraud initiative will bring those resources to bear, and will also benefit from the increased emphasis President Bidenâs executive order placed on cybersecurity.
But Markusâs case highlights potential obstacles to the DOJâs efforts to use the FCA to police cybersecurity. Because the FCA focuses on monetary transactions, its invocation requires DOJ to convince courts and jurors that cybersecurity is not only important, but also is what the government is paying for.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for Us: Author Guidelines
Author Information
Caleb Hayes-Deats is a partner at MoloLamken LLP where he represents companies and individuals in False Claims Act and other types of whistleblower litigation. Previously, he served as an assistant U.S. attorney in the Southern District of New York.
Gloss