On April 26, trial will begin in United States ex rel. Markus v. Aerojet Rocketdyne Inc., where relator Brian Markus, Aerojet’s former senior director of cybersecurity, alleges the company violated the False Claims Act (FCA) by concealing cybersecurity problems from the government.
When the Department of Justice declined to intervene in 2018, few would have predicted that Markus’ case would become a bellwether for a government initiative. But the Biden administration subsequently prioritized cybersecurity, and the DOJ’s new civil cyber-fraud initiative will pursue FCA theories that resemble Markus’ case and allegations.
This trial in the U.S. District Court for the Eastern District of California could thus establish a blueprint for the DOJ’s new initiative—or identify potential obstacles.
DOJ’s Civil Cyber-Fraud Initiative
In May 2021, a ransomware attack shut down an American oil pipeline system for six days. Federal and state governments had to take emergency measures to maintain the fuel supply to certain parts of the country. After the attack, President Biden issued an executive order directing improvements to cybersecurity infrastructure, including systems operated by government contractors. The order directed the federal government to “bring to bear the full scope of its authorities” to protect cybersecurity.
In October, the DOJ launched the civil cyber-fraud initiative, vowing to “hold accountable” anyone “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
The department identified “three common cybersecurity failures that are prime candidates for potential False Claims Act Enforcement”: (1) “knowing failures to comply with cybersecurity standards” set by federal agencies; (2) “knowing misrepresentation of security controls,” such as a contractor’s “practices for monitoring its systems for breaches, or password and access requirements”; and (3) “knowing failure to timely report suspected breaches.”
Potential Issues Facing Cyber-Fraud Cases Under the FCA
Whistleblower lawsuits under the initiative will raise novel issues. Most government contractors provide goods or services other than cybersecurity. While cybersecurity is undoubtedly important, federal agencies must weigh it against their need to obtain the relevant goods and services—much as private individuals balance their own desire for cybersecurity against the necessities of online life.
Those practical realities will complicate efforts to prove that false claims about cybersecurity are “material” to payment decisions and proximately cause government losses.
Not every undisclosed statutory or regulatory violation is material, as the U.S. Supreme Court made clear in United Health Services v. United States ex rel. Escobar. Describing the FCA’s materiality requirement as “rigorous,” the court explained that even a knowing violation will not give rise to FCA liability unless it affects whether an agency will pay a claim.
If the agency has a history of paying claims despite knowing of similar infractions, the requirement likely is not material. DOJ will thus have to prove that violations of cybersecurity requirements would likely impact whether an agency would pay the relevant claim. That may prove complicated, particularly where the government pays for a specialized good or a service that it cannot easily obtain.
The DOJ may also have difficulty proving what damages an agency suffers “because of” a cybersecurity violation. Most circuits require proof of both but-for and proximate causation. A cybersecurity violation is thus unlikely to permit the DOJ to recover everything an agency paid under a contract.
Determining what damages are proximately caused by a cybersecurity violation may prove thorny. Such violations do not necessarily reduce the value of the good or service the government receives. Instead, they impose an unwanted risk. The damage the government suffers “because of” that risk can be difficult to estimate and may depend on the degree to which the risk materializes.
Watching the Aerojet Rocketdyne Trial
The Aerojet Rocketdyne trial will provide an early test of how the FCA applies to allegations of cybersecurity fraud.
Aerojet Rocketdyne develops missile-defense and space-launch systems. Markus alleges that the company fraudulently concealed its failure to comply with regulations requiring defense contractors to implement cybersecurity measures and disclose known threats.
Although the court found Aerojet had disclosed some issues with its cybersecurity, it identified material disputes of fact concerning whether the company had revealed that prior data breaches had not been fully redressed and continued to leak data. The court also cited purported discrepancies between the number of cybersecurity issues identified by outside audits and those disclosed to the government.
Despite overcoming summary judgment, Markus still faces many obstacles at trial. Among other defenses, Aerojet argues that its government contracts focus on providing aerospace equipment or research, such that noncompliance with cybersecurity regulations was neither material to agency decision-making nor a cause of any injury.
Aerojet claims to have evidence that the DOJ knew that many government contractors, including Aerojet, struggled to comply. Despite that knowledge, the Department of Defense supposedly never canceled any contracts, denied payment, or requested reimbursement based on cybersecurity issues. If credited, that evidence could prove fatal to Markus’s case on both materiality and causation.
Ultimately, the DOJ has many investigative and litigative resources that private relators do not. The civil cyber-fraud initiative will bring those resources to bear, and will also benefit from the increased emphasis President Biden’s executive order placed on cybersecurity.
But Markus’s case highlights potential obstacles to the DOJ’s efforts to use the FCA to police cybersecurity. Because the FCA focuses on monetary transactions, its invocation requires DOJ to convince courts and jurors that cybersecurity is not only important, but also is what the government is paying for.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Caleb Hayes-Deats is a partner at MoloLamken LLP where he represents companies and individuals in False Claims Act and other types of whistleblower litigation. Previously, he served as an assistant U.S. attorney in the Southern District of New York.