Contractor Settles Cybersecurity-Related False Claims Act Suit for $9 million | Pillsbury Winthrop Shaw Pittman LLP

The whistleblower that brought the suit, under the qui tam provisions of the False Claims Act (FCA), was the contractor’s former senior director of cybersecurity compliance. In the complaint, the whistleblower alleged that external auditors were able to compromise the contractor’s network. Within four hours, auditors allegedly were able to obtain all user accounts and passwords, access attorney-client privileged documents, and remotely view and listen to security camera footage at the contractor’s facility. At the same time, the contractor allegedly certified that it was in compliance with applicable cybersecurity requirements. The U.S. Department of Justice (DOJ) submitted a “statement of interest” in October 2021 to respond to the legal issues related to the FCA that the contractor raised in a motion for summary judgment.

After surviving several attempts to dismiss the suit, the whistleblower agreed to settle shortly after the April 2022 trial had commenced. In the settlement agreement, the contractor expressly denied any violation of the FCA, but agreed to pay the United States a total of $9 million. The FCA provides that the whistleblower can receive up to 30 percent of the settlement amount.

Since the time this case was filed, DoD and DOJ have taken steps to emphasize the importance of cybersecurity maturity within the government’s supply chain. (We have previously reported on these efforts in July 2022, November 2021, October 2021 and October 2020.) Although the government’s cybersecurity standards continue to evolve, the settlement should serve as a wake-up call for contractors to take their cybersecurity obligations seriously today and to be transparent about their level of compliance with cybersecurity requirements. This is especially true since DoD issued DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements), which is an interim rule that went into effect in November 2020 and requires most defense contractors to self-assess their level of cybersecurity compliance and post the results of that assessment on the Supplier Performance Risk System, a government database.

Comments are closed.