On 8 July 2022, the Department of Justice (DOJ) announced a settlement of cybersecurity fraud charges against Aerojet Rocketdyne Inc. (Aerojet) following an action under the False Claims Act (FCA). Aerojet agreed to pay USD 9 million to the US government to settle allegations that it misrepresented its compliance with cybersecurity requirements when entering into federal government contracts with NASA and the Department of Defense. The case started when Aerojet’s former employee, Brian Markus, filed a qui tam action against the company under the FCA after it allegedly failed to protect sensitive information pursuant to government rules about cybersecurity. The case was settled on the second day of trial. This is the DOJ’s second settlement in the last nine months under its Civil Cyber-Fraud Initiative, thus signaling the government’s sustained focus on combatting cybersecurity fraud through the FCA.
Aerojet manufactures products for the aerospace and defense industry, and it contracts with federal government agencies including the Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA). Both the DoD and NASA impose regulations on defense contractors to implement specific controls to protect sensitive government information from cybersecurity threats, namely, Defense Federal Acquisition Regulation 48 C.F.R. § 252.204-7012 (DFARS) and NASA Federal Acquisition Regulation 48 C.F.R. § 1852.204-76 (NASA FARS).1
From June 2014 to September 2015, the relator Brian Markus (“Relator“) was employed by Aerojet as its senior director for Cyber Security, Compliance & Controls.2 Relator claimed that, as early as 2014, Aerojet was not compliant with the relevant regulations and that the government awarded Aerojet contracts based on its misrepresentations of compliance. In July 2015, Relator refused to sign documents that Aerojet was compliant with cybersecurity requirements, contacted the company’s ethics hotline, and filed an internal report. Aerojet terminated Relator’s employment on 14 September 2015.3
On 29 October 2015, Relator filed a qui tam action under the FCA,4 alleging that Aerojet misrepresented its compliance with cybersecurity regulations and fraudulently entered into government contracts with DoD and NASA, despite knowing that it did not meet the minimum standards to be awarded government contracts.5 In June 2018, the government declined to intervene in Relator’s action, after which the case was unsealed.
On 4 January 2019, Relator filed his Second Amended Complaint (SAC) which alleged claims for: (1) promissory fraud in violation of 31 U.S.C. § 3729(a)(1)(A); (2) false or fraudulent statement or record in violation of 31 U.S.C. § 3729(a)(1)(B); (3) conspiracy to submit false claims in violation of 31 U.S.C. § 3729(a)(1)(C); (4) retaliation in violation of 31 U.S.C. § 3730(h); (5) misrepresentation in violation of California Labor Code § 970; and (6) wrongful termination.
Aerojet responded to the SAC by filing a motion to dismiss the complaint and moving to compel the employment-related claims to arbitration. On 8 May 2019, Judge William B. Shubb of the District Court for the Eastern District of California dismissed Relator’s conspiracy claim and granted Aerojet’s request to compel the employment-related claims to arbitration. However, the Court denied Aerojet’s motion to dismiss the first two counts under the FCA. Particularly, the court found that Relator had sufficiently pled materiality under the FCA, noting that although Aerojet had disclosed certain areas of noncompliance to the government, it had allegedly failed to disclose the full extent of its noncompliance.
The parties cross-moved for summary judgment or adjudication on the remaining FCA claims. The government also filed a statement of interest in which it opposed Aerojet’s arguments. On 1 February 2022, the Court granted Aerojet’s motion as to Relator’s false certification claim, but denied Aerojet’s motion as to the promissory fraud claim. The Court also denied motions for summary judgment from both parties on the issue of damages.
On 26 April 2022, jury trial commenced on Relator’s promissory fraud claim. A jury was selected, and the parties delivered their respective opening statements.
Under the FCA, persons who violate the Act may be liable for up to three times the actual damages “which the Government sustains because of the act” giving rise to liability.6 Heading into trial, Relator claimed that Aerojet owed damages of USD 19 billion, or three times the sum of each invoice paid under each contract that was obtained through the allegedly false statements or fraudulent conduct.7 In addition, had Aerojet been found to have violated the FCA, it would have been subject to debarment or suspension and civil penalties, which are also provided for under the FCA. Aerojet claimed that the government had suffered no actual damages since Aerojet had provided the goods and services the government had contracted to receive.
Aerojet agreed to pay USD 9 million to the US government to settle the cyber-fraud allegations.
The settlement agreement does not include any admission of fault or liability on the part of Aerojet.
Why it matters
Aerojet is the first cybersecurity compliance FCA case to move past a motion to dismiss, a motion for summary judgment, and then to trial and settlement. This demonstrates a judicial willingness to recognize cyber-fraud as a viable basis for a qui tam FCA lawsuit.
This is the second settlement announced in connection with the DOJ’s Civil Cyber-Fraud Initiative, which it launched in October 2021. The Civil Cyber-Fraud Initiative was created to increase cybersecurity compliance by using the FCA to pursue cybersecurity-related violations committed by government contractors, subcontractors, and grant recipients. The first such settlement was in March 2022 and involved Comprehensive Health Services (CHS), which was accused of failing to store government employees’ medical records on a secure electronic medical record system in violation of government contract requirements. The CHS allegations were also raised via a qui tam lawsuit, in which the government partially intervened.
- Trial risk is a significant motivation to settle. Facing uncertainty regarding damages, the parties decided to settle on just the second day of trial, despite over three years of litigation and investigation.
- Under the Civil Cyber-Fraud Initiative, the federal government will continue to use the FCA to hold government contractors accountable if they make false, misleading or incomplete representations regarding cybersecurity compliance in their government contracts.
- Given the uptick in cybersecurity enforcement, government contractors must be diligent in their compliance with cybersecurity regulations and careful in their assurances to the government when entering into government contracts.
- Appropriate disclosures to the government regarding non-compliance can be key to determining materiality under the FCA. Disclosures to and any waivers from the government must be carefully crafted and documented. Here, the parties agreed that the government contractor had not fully complied with cybersecurity requirements and that it had in fact disclosed the non-compliance to the government. Nonetheless, Relator and the government relied on their claim that these disclosures did not fully reveal the extent of the non-compliance at the motion to dismiss and summary judgment stages.
- As with other areas of FCA enforcement, enforcement of cybersecurity-related fraud will rely significantly on qui tam actions. Accordingly, government contractors should have systems in place to properly respond to internal warnings. This includes, inter alia, having sufficient resources to investigate allegations raised through internal reporting mechanisms. It also involves ensuring that the functions responsible for cybersecurity receive adequate resources to assess risk, mitigate cyber threats and ensure compliance with government requirements.
1. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245 WBS AC, 2022 US Dist. LEXIS 18505, at *3-4 (E.D. Cal. 1 February 2022).
2. Id. at 2.
3. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240, 1244 (E.D. Cal. 2019).
4. 31 U.S.C. §§ 3729 – 3733.
5. The defendants were Aerojet Rocketdyne Holdings, Inc. and Aerojet Rocketdyne, Inc. a wholly-owned subsidiary thereof. For purposes of simplicity, the defendants will be collectively referred to as “Aerojet.”
6. 31 U.S.C. § 3729(a).
7. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245 WBS AC, 2022 US Dist. LEXIS 18505, at *21 (E.D. Cal. 1 February 2022).