Claim alleges aerospace company committed fraud under the False Claims Act because it failed to meet information security requirements
A California federal court in May permitted a lawsuit to go forward alleging a government contractor’s failure to adequately address the findings of an external information security assessment meant that the funds it received from the government under the contract, wholly unrelated to information security, were obtained by fraud.
Brian Markus was the senior director of cybersecurity for a large California aerospace company that had—as you would expect—contracts with the U.S. Department of Defense and NASA. As senior director, Markus had responsibility for ensuring that the contractor complied with a host of laws and regulations regarding cybersecurity awareness and readiness. Because the rocket company was a DoD and NASA contractor, it was required to be compliant with DoD regulations regarding safeguarding DoD information and reporting 48 C.F.R. § 252.204-7012 (2013) and 48 C.F.R. 252.204-7012 (Aug. 2015). These regulations required defense contractors to have “adequate security” defined as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”
The rocket company hired an outside consulting company (Disclaimer: The consulting company is a client of mine) to perform penetration testing and other services, which, like any security consulting company, made findings and recommendations.
This is where things went off the rails. Markus alleges that his employer wanted him to certify that the company was compliant with the DoD regulations when, in fact, they were not. After some give and take, Markus filed a complaint with the company’s internal ethics office, and was fired by the company in September 2014. A month later, he filed a lawsuit.
Cybersecurity Certification and False Claims Act
In addition to suing for wrongful termination and misrepresentation, Markus sued his now former employer for attempting to defraud the U.S. government under the False Claims Act by submitting and conspiring to submit false certifications that the company was compliant with the federal cybersecurity requirements.
Now, the False Claims Act generally relates to someone defrauding the government out of money in a contract. Nobody claimed that the rocket company failed to deliver rockets as ordered. What Markus claimed is that the allegedly false cybersecurity compliance certification was, first of all, just plain false itself and that it acted as an inducement to the government to award the rocket contracts to the company, and that, but for the false (or attempted false) certifications, the government would not have considered awarding the contract to the employer. Thus, it was fraud in the inducement of the contract and fraudulent promises about compliance. The rocket company responded by noting that it did, in fact, tell the government about the deficiencies in its cybersecurity, and that the government paid the company nonetheless.
Not so fast, said the court, in allowing Markus’ lawsuit to proceed. Even if the rocket company disclosed some of its deficiencies, the court noted that the complaint alleged that it continued to misrepresent to the government “the extent to which it had equipment required by the regulations, instituted required security controls, and possessed necessary firewalls,” while continuing to certify compliance by submitting invoices that contained the certification. Not only that, but the government specifically noted that the company didn’t have the authority to “waive” compliance with the cybersecurity requirements.
Partial security is not security. The court found it significant that, even though the government thought that it would “be a relatively simple matter for the contractor to become compliant,” the rocket company persisted in making misstatements as to partial compliance with protection measures and the fact that the company cherry-picked what data it chose to report.
So what? The contract was for rockets. Not for cybersecurity. The rocket company argued that the alleged violations were not “material” to the contract and that any noncompliance does not go to the central purpose of any of the contracts, as the contracts pertain to missile defense and rocket engine technology, not cybersecurity. Besides, even with the knowledge of the alleged non-compliance, the government continued to pay the rocket company and continued to order rockets from the company—even during the government investigation. In fact, while the government had the opportunity to intervene in the case filed by Markus, they chose not to.
The case is still in a preliminary stage—the court simply refused to dismiss the fraud allegations under the False Claims Act and allowed the case to proceed. But most significantly, the case stands for a few important propositions:
First, cybersecurity is important in any contract that requires it (and in every one that does not.) If you sign a contract that requires certification of compliance with some cybersecurity standard (or that you have “adequate” protections for data) then your failure to do that may constitute a breach of contract or, worse, contract fraud.
Second, transparency is best (usually). Any competent security assessment will likely find deficiencies that will need to be addressed. Left unsaid in the case is the extent to which a finding of a security deficiency results in a false certification of “compliance” with a cybersecurity requirement. No company will be either 100% secure—or, for that matter, 100% “compliant.” That’s not how this works. That’s not how any of this works. Security and compliance are processes, not destinations. If the finding of an assessment show serious deficiencies, address them competently and don’t just gloss over them. Don’t just “click the box” that says, “Yes, we have adequate security controls,” but rather say, “We conduct regular security assessments of our controls, and have a robust process for identifying and addressing any deficiencies …” and then go on to discuss any major findings. If you haven’t addressed a major deficiency, then explain to the contract officer why, despite the failure to address the deficiency, your other “compensating” controls still provide “adequate” protection to the data you are contractually obligated to protect. And if you can’t do that, then tell them that and come up with a plan.
The case does not really explain what constitutes a “material” false certification sufficient to constitute a “false claim” under the law. One problem is the vague nature of the security regulations against which the certification is to be measured—they require “reasonable” or “adequate” protection. It’s one thing to falsely certify that you have a firewall or endpoint protection when you have none. It’s another thing to certify that your training program is “adequate.” This slope seems slightly slippery.
Also, many of these cases don’t provide the kind of granularity that permits parties to have the kind of comprehensive security discussions that would be necessary. There’s a box. If you comply, click here. If not, you can’t click here and you can’t get paid. Did I mention that that’s not how this works?
Future courts will struggle with defining the standards for certification of compliance and the standards of materiality. As a lawyer, the good thing for me is that there will be future cases. Cybersecurity compliance is, and will continue to be, a material aspect of both government and commercial contract requirements. Click the box at your own peril.