In the summer of 2015, we cautioned that the Department of Defense’s (DoD’s) new cybersecurity regulations could be used offensively to support False Claims Act (FCA) cases and bid protests. Four years later, those premonitions have unfortunately come true. Recently, a federal court refused to dismiss a relator’s implied certification FCA case in which he alleged that his employer “misrepresented … to the government the extent to which it had equipment required by the regulations, instituted required security controls, and possessed necessary firewalls” in violation of DoD’s cybersecurity regulations. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245, 2019 WL 2024595, *3 (E.D. Cal. May 8, 2019).
By way of background, the False Claims Act imposes civil and potentially criminal liability on anyone who knowingly presents a false or fraudulent claim for payment to the federal Government, or knowingly makes, uses or causes to be made or used, a false record or statement material to a false or fraudulent claim. 31 U.S.C. § 3729(a)(1)(A) & (B). The FCA permits a private person, known as a relator, to bring a qui tam civil lawsuit in the name of Government against anyone who violates the Act. Civil remedies can include up to three times the actual damages suffered by the Government as a result of the false claim along with a civil penalty between $5,000 and $10,000 for each violation. The relator receives a share of any proceeds from the action—generally 15 to 25 percent if the Government intervenes, and 25 to 30 percent if it does not, plus attorneys’ fees and costs. The FCA also has a lengthy statute of limitations of either six years from when the fraud is committed or three years after the Government knows or should know about the material facts giving rise to the claim, whichever is later, as long as the action is filed within ten years of the alleged fraud. 31 U.S.C. § 3731(b); Cochise Consultancy, Inc. v. United States ex rel. Hunt, 587 U.S. __ (May 13, 2019) (noting “if the Government discovers the fraud on the day it occurred, it would have 6 years to bring suit, but if a relator instead discovers the fraud on the day it occurred and the Government does not discover it, the relator could have as many as 10 years to bring suit”).
In Markus, the relator was the senior director of Cyber Security, Compliance and Controls for the defendants. In Sept. 2015, he was terminated after he refused to sign documents that his employer complied with the DoD’s new cybersecurity requirements. A month later, he filed a lawsuit alleging violations of the FCA and relating to his termination. The lawsuit remained under seal while the Government investigated the FCA claim. Three years later, after the Government declined to intervene, the case was unsealed.
To put the facts in perspective, in June 2015, the National Institute of Standards and Technology (NIST), which is responsible for developing information security standards and guidelines, published Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171. This standard imposed new obligations on defense contractors for protecting Controlled Unclassified Information (CUI). In Aug. 2015, the Department of Defense issued an interim rule requiring contractors to implement SP 800-171. See 48 CFR 252.204-7012 (Aug. 2015). In Dec. 2015, DoD amended the interim rule to allow contractors until Dec. 31, 2017 to have compliant or equally effective alternate controls in place. See 48 CFR 252.204-7012(b)(1)(ii)(A) (Dec. 2015). Each version of the regulation defined adequate security as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” 48 CFR 252.204-7012(a).
While the defendants told DoD that they did not comply with certain aspects of the cybersecurity regulations, relator’s implied certification FCA claim was based on the defendants’ allegedly false representations that they otherwise complied with the remaining aspects of SP 800-171. An implied false certification claim requires two elements: (1) the claim does not merely request payment but also makes specific representations about the goods or services provided, and (2) the defendant’s failure to disclose noncompliance with material statutory, regulatory or contractual requirements makes those representations misleading half-truths. Universal Health Servs., Inc. v. United States ex rel. Escobar, 136 S.Ct. 1989, 2001 (2016). The court, accepting plaintiff’s allegations as true as it must in response to a motion to dismiss, held that while defendants disclosed some of their noncompliance, “a partial disclosure would not relieve defendants of liability where defendants failed to ‘disclose noncompliance with material statutory, regulatory, or contractual requirements.’” The court thus denied the motion to dismiss relator’s FCA claim.
In Escobar, the Supreme Court stated that “if the Government pays a particular claim in full despite its actual knowledge that certain requirements were violated, that is very strong evidence that those requirements are not material.” Id. at 2003. For that reason, if the defendants can depose the contracting officer and establish that the alleged violations were not material to the Government’s decision to enter into the contract defendants may be able to prevail at summary judgment.
A lesson for contractors is to be sure to disclose those areas where you do not fully comply with the requirements for a contract offering. A full disclosure will allow you to argue that the requirements were not material to the Government’s contracting decision. A failure to disclose makes that argument much harder than it has to be, especially in the fast-paced area of cybersecurity.
For small contractors still struggling to understand, much less comply, with the cybersecurity requirements, Section 1644(b) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 states DoD will be helping small manufacturers and universities conduct voluntary self-assessments in order to understand operating environments, cybersecurity requirements and existing vulnerabilities, including through the Mentor Protégé Program, small business programs and engagements with defense laboratories and test ranges.