On April 29, Aerojet Rocketdyne Holdings Inc. (Aerojet) settled claims by whistleblower Brain Markus for a reported $9 million after the second day of a jury trial. This is the second recent settlement under the False Claims Act (FCA) relating to alleged misrepresentations about a company’s cybersecurity practices and systems in connection with government contracts. We recently covered the settlement between the Department of Justice (DOJ) and Comprehensive Health Services here. These two recent settlements highlight a growing trend to use the FCA as a mechanism to hold vendors that do business with the federal government accountable for meeting federal cybersecurity requirements.
This is a wake-up call to all federal government contractors. In the Aerojet case, the company’s senior director of cybersecurity, compliance, and controls used his intimate knowledge of the company to bring challenging accusations to public light. Because the threat to a company in such cases may come from within, companies must ensure that compliance is a priority and evaluate governance structures to be prepared to act efficiently to meet compliance objectives before it is too late.
The False Claims Act
Under the FCA, a person or business is liable for knowingly submitting false claims to the government or submitting false records or statements to the government to get the false claim paid. 31 U.S.C. §§ 3729(a)(1)(A) and (B). In the context of the FCA, a “claim” is a demand for money or property made to the federal government or a demand to a federal government contractor if the federal government has provided any portion of the money or will reimburse the contractor. 31 USC § 3729(b)(2). The three elements of an FCA cause of action are: “(1) the defendant submitted a claim to the government, (2) the claim was false, and (3) the defendant knew the claim was false.” See, e.g., United States ex rel. Barko v. Halliburton Co., 241 F. Supp. 3d 37, 49 (D.D.C.), aff’d, 709 F. App’x 23 (D.C. Cir. 2017). Liability under the FCA requires knowledge of the falsity of the statements, meaning actual knowledge, deliberate ignorance or reckless disregard for the truth, or falsity of the information. 31 U.S.C. § 3729(b)(1). Specific intent to defraud is not required. Id.
By its nature, the FCA is a remedial statute designed to be punitive. Duo and treble damages and minimum penalty provisions are available to the plaintiff. Penalties may be imposed even if the government has not been harmed. Inflation-adjusted statutory penalties range from $11,650 to $23,607 for each violation (i.e., each false claim submitted). The government is also entitled to recover triple the amount of money it lost due to the false claims. Damages are ultimately determined based on the facts of each particular case. In 2021 alone, the DOJ reported over $5.6 billion in recoveries under the FCA.
The FCA’s statutory penalties and civil damages structure incentivize whistleblowers to come forward with information. A whistleblower may receive 15% to 25% of a recovery in cases where the government intervenes and up to 30% in cases where the government does not intervene.
Because penalties are determined based on the specific facts of a case, regulators are likely to focus not only on the “false claims” made to the government, but also on the culpability of the organization’s management and board of directors. The government’s ability to demonstrate a failed governance structure could be as damaging for a company as the false claims themselves. A company’s governance structure (or lack thereof) could result in substantial additional exposure in cases brought under the FCA.
The Whistleblower Complaint
Aerojet is a manufacturer of rocket engines and other high-tech propulsion systems for commercial and government use. In the course of its business, Aerojet regularly contracted with the Department of Defense and NASA. Those contracts are subject to the Federal Acquisition Regulations (FAR) and agency-specific supplemental FARs (i.e., Defense Federal Acquisition Regulations and NASA Federal Acquisition Regulations). As a very high-level summary, those regulations require contractors to (1) maintain adequate security for information systems that contain technical information; and (2) report cyber incidents that compromise the information systems.
According to the sealed qui tam complaint, Aerojet hired Markus from 2014 to 2015 to direct Aerojet’s cybersecurity program. See United States ex rel. Brian Markus v. Aerojet RocketDyne Holdings, Inc., et al., 2:15-cv-02245 (E.D. Cal.). When Markus joined Aerojet, its cybersecurity program failed to meet the requirements of the federal contracts and continued to fall far short of full compliance with the FARs during his employment. According to Markus, Aerojet did not provide him with sufficient resources to build a program to the level of security required to comply with Aerojet’s government contracts.
Markus specifically alleged that in 2013 and 2014, Aerojet reported breaches of security by nation-state sponsored threat actors as required by contract but failed to disclose that the breaches resulted from noncompliance with the FARs. In response to specific questions from the government following these breaches, Aerojet allegedly provided misleading answers indicating, for example, that Aerojet had certain pieces of security equipment when the equipment was in fact still in the box or connected to a different computer system.
Markus also alleged that he attempted to alert the company of the cybersecurity shortfalls, but his concerns were ignored or covered up. For example, Markus alleged that he prepared a presentation for the Aerojet board in January 2015 to highlight the security concerns and notify the board that Aerojet was not compliant with the FARs. However, Markus claims that his boss took over the presentation and changed it to conceal the fact that Aerojet was not in fact compliant. Additional reports from Markus beginning in 2014 demonstrated that Aerojet’s management was on notice of its cybersecurity shortcomings.
In early 2015, Aerojet hired Emagined and Ernst & Young to conduct a series of security audits of Aerojet’s information security systems. Both audits identified significant cybersecurity weaknesses that required expensive remedial efforts. In 2015, shortly after Aerojet received the reports of those security audits and before the security gaps had been remediated, Markus’ boss asked him to sign a certification attesting to Aerojet’s’ cybersecurity compliance. Markus alleged that he refused to execute the certification because the information security systems were significantly noncompliant with the FARs, and Markus was concerned that he could lose his federal security clearances. According to Markus, Aerojet terminated his employment as result of his refusal to certify Aerojet’s cybersecurity program.
Procedural History and Settlement
Markus filed the lawsuit in 2015 shortly after his termination (and after filing internal grievances at Aerojet). The DOJ initially declined to intervene in the lawsuit in 2015. However, in October 2021, the DOJ announced the launch of its Civil Cyber Fraud Initiative, which seeks to combine the department’s expertise in civil fraud enforcement, government procurement, and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems. Shortly after this announcement, the DOJ filed a statement of interest in response to Aerojet’s motion for summary judgement “to ensure the proper interpretation and application of legal principles developed under the FCA.” [Dkt. 135, p. 13]. The DOJ asserted that it contracted with Aerojet not only to build rocket engines, but also to securely store government data on systems that met certain cybersecurity requirements. The Eastern District of California denied Aerojet’s motion for summary judgment, and the case proceeded to trial.
On April 29, the second day of trial, Markus took the witness stand. After several hours of testimony, the parties recessed for an hour and informed the court that they had reached a settlement. With that representation, the court dismissed the jury. The parties have 30 days from April 29 to finalize the settlement and dismiss the lawsuit.
There were three significant breakdowns at Aerojet that culminated in this lawsuit: (1) Aerojet’s information security program was noncompliant with the FARs; (2) Aerojet’s leadership was aware of the noncompliance, but the company failed to take necessary remedial steps due to failures in communicating risk to the executive suite and the board; and (3) Aerojet made misleading statements to the government regarding its cybersecurity compliance. These breakdowns were then reported by the senior director of cybersecurity, compliance, and controls after the company ignored his concerns and failed to take necessary remedial action. This scenario has the potential to repeat itself for government contractors in all industries across the country. The threat posed by noncompliance with FARs may come increasingly from within an organization in the form of whistleblower complaints. Thus, it is incumbent on companies doing business with the federal government to take steps to protect themselves right away.
Regulators increasingly expect company leadership and the board of directors to be informed of cybersecurity risk and compliance and involved in the decision-making process. For example, the Securities Exchange Commission (SEC) recently announced proposed rules for publicly traded companies that contemplate periodic reporting about “a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.” The purpose of such reporting is to hold company management accountable for significant business decisions involving cybersecurity and compliance to ensure that these initiatives are directed from the top down. Troutman Pepper has also noted an increase in the government’s interest in the conduct of company management and the board when it comes to cybersecurity, compliance, and risk. Ignorance of cybersecurity and compliance issues will not be a viable defense.
As a best practice, companies that contract with the federal government need to ensure proper governance structures and make sure they implement industry best practices, including the following:
- Understand that the board has significant responsibility to contribute to and develop the company’s strategic direction with respect to risk and compliance.
- Ensure that the board is comprised of a diverse group of individuals with the experience and qualifications to understand cyber risk and compliance, as well as the ability to meaningfully direct the necessary company actions to protect the company’s assets.
- Develop a corporate governance policy that clearly delegates responsibilities and expectations, including the responsibilities and expectations for the board.
- Ensure there are mechanisms to enforce compliance with the corporate governance policy that are effective, easily implemented, and hold stakeholders accountable with consequences for noncompliance.
- Charter board risk and compliance committees. These committees promote increased visibility and involvement in critical business decisions and allow the board and company management to hold the business accountable for achieving compliance.
- Ensure that the company’s audit committee is sufficiently resourced and has broad authority to assist with the strategy to maintain government contract compliance as an additional layer of board oversight.
- Adopt a framework — such as ISO, NIST, PCI DSS, or the CIS Controls — based on best practices for the company’s industry. In our experience, ISO is the most common framework for the private sector, and in the U.S., NIST is the most common for companies that do business with the government. In most cases, companies also map their foundational framework against other regulatory and customer-specific frameworks like the FARs at issue in the Aerojet
- Ensure that the company’s performance against defined objectives is clearly tracked to ensure the corporate decision-making aligns with the company’s strategic roadmap and deadlines are met.
- Create a “crown jewels” inventory and risk assessment. Ensure that the “crown jewels” (e.g., classified, business critical, and/or personally identifiable information) are carefully mapped. Based on that inventory of data, companies can scope the boundaries of their security programs and then assess risk. Companies can follow established risk assessment procedures, such as the NIST SP 800-53A.
- Provide the board and senior management with information needed to make important decisions. Ensure that there is a mechanism specifically to elevate changes in a company’s risk profile, breaches of security, and compliance shortfalls to management and the board, so the company can swiftly address those concerns and get ahead of risk and compliance problems. More companies across industries are meeting at least annually to discuss with the board and/or senior management cyber and security risks and vulnerabilities, the organization’s preparedness and remediation plans, and roadmaps to enhancing safeguards. Increasingly, third-party experts are included in the discussion to provide prospective and benchmarking.
- Contract representations — do what you say and say what you do. Avoid making overly broad representations regarding information security program maturity, safeguards in place, and/or compliance with certain frameworks during the contract negotiation and renewal process. Increasingly, companies are preparing security addendums of the permissible “approved” representations and warranties that can be made in master service agreements and other procurement documentations (often aligning with the recognized and audited information security framework).
- Maintain careful documentation to ensure that the company can demonstrate strong corporate governance and oversight in the event the decisions of the board and management are challenged.
Companies must be careful to seek legal advice from attorneys with the requisite expertise to help build strong corporate governance that supports the company’s strategic efforts to both identify and manage cybersecurity requirements and appropriately address any compliance gaps.
Troutman Pepper has considerable expertise and knowledge at the intersection of law and technology and consistently monitors this space for developments to advise clients in this rapidly evolving landscape. At Troutman Pepper, we combine this experience and expertise to provide sophisticated and customized legal solutions to companies facing governance, compliance challenges, and legal exposure — including disputes centering on the False Claims Act and whistleblower actions.
 The settlement also included an undisclosed payment of attorney’s fees and a confidential amount to resolve Markus’ individual claims against the company.