On April 26, 2022, the groundbreaking case United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc. proceeded to trial in the Eastern District of California. This first-of-its-kind case—wherein a qui tam relator attempted to hold his former employer accountable using the False Claims Act for its alleged cybersecurity fraud—was certain to be a bellwether test case for cyber-related FCA liability.  Read on to learn more below, and what it may mean in the realm of cybersecurity and data privacy going forward.

Aerojet Rocketdyne was also to be a bellwether for the Biden administration’s new cybersecurity initiative. If you recall, the Department of Justice announced in October 2021 the Civil Cyber-Fraud Initiative and its plans to use the False Claims Act (FCA) to identify and deter cyber incidents that put sensitive and critical government information at risk.[1] For those unfamiliar with the FCA, it is a law used to impose liability on persons or entities that knowingly defraud government programs and misuse taxpayer funds. The FCA allows private parties—i.e., whistleblowers, known as “relators”—to bring cases on the government’s behalf, and seek a recovery of government funds. The FCA also permits the government to recover three times its damages, as well as statutory penalties for each false claim. Further, if the recovery is successful, the relator is entitled to a share of these proceeds.

Given that the federal government is one of the largest purchasers of cyber products and services, the DOJ expects whistleblowers to play a significant role in implementing the Civil Cyber-Fraud Initiative, and to exposing misconduct in the cybersecurity space.

It is against this backdrop that all eyes were on Aerojet Rocketdyne when it went to trial. The case involves a whistleblower, relator Brian Markus, who was a former senior director of cybersecurity and compliance at Aerojet, a government contractor specializing in missile defense. Relator alleged that Aerojet fraudulently concealed its failure to comply with government regulations requiring defense contractors to implement cybersecurity measures and report incidents and breaches. And although the government declined to intervene, which it often does with particularly strong FCA cases, the relator’s case proved durable.

First, the relator’s complaint was able to survive a motion to dismiss, and it was the first of its kind to do so. Defendants argued that it was impossible for the relator to satisfy the materiality prong of the FCA, because Aerojet had disclosed to the government that it was not fully compliant with the relevant government regulations; indeed, it even sought a waiver of the requirements. The court, however, disagreed. The court found that the relator properly alleged with sufficient particularity that defendants had not fully disclosed the extent of their technical noncompliance. The court also ruled that such noncompliance was material—that is, it mattered to the government’s decision to enter into a contract with Aerojet.

Second, relator’s promissory fraud claim survived summary judgment. The relator was able at this stage of the litigation to successfully provide evidence demonstrating that the Aerojet defendants had not disclosed the true breadth of their cybersecurity noncompliance, and that these omissions could constitute a material false claim under the Act. The relator produced evidence that certain data breaches were not fully disclosed to the government by, among other things, showing a number of discrepancies between the number of cybersecurity issues identified by outside auditors and those disclosed to the government.

The relator was also able to avoid summary judgment on the issue of causation. The court ruled against defendants’ argument that because the government had received what it bargained for—functional rocket engines—there was no evidence of causation to connect Aerojet’s representations as to cybersecurity and the government’s decision to enter into a contract with it. Instead, the relator successfully persuaded the court that the government’s contract was not just for rocket engines, but was also for a company to satisfactorily store the government’s sensitive data on a system that met its cybersecurity requirements.

As such, Aerojet Rocketdyne proceeded to trial on April 26, 2022. The relator, no doubt buoyed by the recent summary judgment decision, sought a minimum of $2.6 billion in damages—the value of Aerojet’s government contracts from 2013 to 2015—and (quite remarkably) this figure did not include treble damages, penalties, or attorneys’ fees. The very next day, on April 27, 2022, Aerojet agreed to settle the case. Thus, while Aerojet Rocketdyne may not be the fully-litigated bellwether case for cyber-related FCA liability that everyone had hoped for, the quick settlement does demonstrate just how dangerous non-compliance with cybersecurity regulations can be.

 

[1] See DOJ Justice News, “Acting Assistant Attorney General Brian M. Boynton Delivers Remarks at the Cybersecurity and Infrastructure Security Agency (CISA) Fourth Annual National Cybersecurity Summit,” October 13, 2021.