BLOG: Cybersecurity, Implied Certifications, and the False Claims Act

July 22, 2019

By Isaias "Cy" Alba IV
Practice Areas: Cybersecurity & Data Privacy, False Claims Act, Government Contracts Law and Litigation & Dispute Resolution

As I am sure many of you know and have read about already, the first False Claims Act (“FCA”) case, US Ex rel. Markus v. AeroJet Rocketdyne Holdings, Inc., et al., No. 2:15-cv-2245, has been filed in the Eastern District of California by a disgruntled former Director of Cyber Security Compliance and Controls, and it survived a motion to dismiss in May of this year. When the existence of the AeroJet case is layered over the U.S. Supreme Court’s findings in Universal Health Servs., Inc. v. US Ex rel. Escobar, 136 S.Ct. 1989 (2016), which confirmed FCA liability based upon implied certifications, a worrisome result can occur.  Namely, can the disgruntled employees, aggrieved subcontractors, consultants who see an opening for a quick buck, spouses in the midst of a contentious divorce, or any other random individual with a basic knowledge of your IT systems file an FCA case against you claiming that you impliedly certified, by merely accepting a federal contract, that you were in full and unequivocal compliance with all NIST 800-171 standards and that you had all documentation required by DFARS 252.204-7012.  The answer is absolutely “YES.”  Small to mid-sized government contractors should note that their lack of diligence can be used as evidence of recklessness which gives rise to FCA liability.  

The most disconcerting part of the AeroJet/Escobar connection is that, due to the confusing nature of the NIST 800-171 standards, IT departments at different firms develop wildly divergent interpretations of what is actually required at the technical level.  If it is difficult for even IT professionals to understand what is actually required, down to the specific details, this leaves a huge gulf that can only be filled with case law…which necessarily means litigation.

While the DoD rules went into full effect January 1, 2018, many contractors, especially small and mid-sized companies, believe that it is not “really” in effect or that the government isn’t “really” enforcing it yet.  This is where the FCA implications loom large because it does not matter whether the government is enforcing the law or not, the fact that the regulation is final, and incorporated into nearly all DoD contracts (note there are similar non-regulatory contract clauses found in civilian contracts as well so be aware this is not just a DoD contractor risk), means that by accepting a contract with any such requirement (DoD or otherwise) means that, under Escobar you are certifying, or have already certified if a contract was awarded after January 1, 2018, that you are in full compliance.  

Here, however, because an objective understanding of the NIST 800-171 requirements is elusive, this raises even greater risk that a relator, even if acting in good faith, could see your interpretation of full compliance to be non-compliance and file an FCA suit against you.  Thus, it is important to show those in your IT department, or those who may have the access and knowledge of your policies and procedures, that 

  1. you have inquired into the meaning of the NIST standards, 
  2. you have worked diligently to ensure compliance, and 
  3. you have explained how your company did so.  

If current employees understand the actions you took and they see you are careful with compliance, they are far less likely to have an actionable suit.  While there are always unscrupulous individuals, and equally unscrupulous lawyers who will take any case to try and force a settlement, that risk can be greatly mitigated with clear communication with employees and those with access.

That said, it is important to note that FCA liability does not arise due to mere negligence; there has to be actual knowledge of non-compliance or reckless disregard for the truth with regard to such non-compliance.  This, however, does not mean you can fail to investigate or to understand the regulations and claim mere negligence.  Indeed, the Department of Justice (“DOJ”) in a number of cases I have handled in the past decade, has demanded to see documentation (printed documents, emails, etc.) showing your attempts to fully understand the law.  Only if you have taken the time to understand the law and then come to a good faith and reasonable conclusion of the meaning of the law or its requirements, can you avail yourself of the mere negligence defense.  Many small to mid-sized firms believe that because they did realize the law even existed or they didn’t look at and investigate the meaning of the regulation, that they can still claim negligence.  But that notion is false.  DOJ will view your lack of diligence as evidence of recklessness which gives rise to FCA liability.  Now each case is different, and we can certainly evaluate the arguments that may exist in each situation but, as a general rule, DOJ views the failure of a company to educate itself to the maximum practicable extent as a sign of recklessness, not negligence.

The “good” news is that, as my colleague Dave Shafer noted in his latest blog, DoD does plan to remedy this confusion, and therefore make the risk of FCA liability due to ignorance far less by finalizing its Cybersecurity Maturity Model Certification (“CMMC”) standards.  This, we hope, will be a clear set of requirements that will end in a certification given to the contractor.  While it may be costly or time consuming to achieve, it is far less costly than a 5+ year FCA lawsuit, and we hope the CMMC standards will mitigate against the risks noted above.

Unfortunately, the CMMC standards are likely a couple years off as they have to be developed, go through notice and comment rulemaking, and then be adopted into the DFARS and, likely, later the FAR.  We will of course keep our clients and friends up to date on all the latest but, in the mean time, be aware of the FCA risks and make sure you are in full good faith compliance with the cybersecurity regulations or other contractual requirements to avoid the wrath of a relator looking for a payday.

Check out PilieroMazza’s podcast GovCon Live! to hear more as we present “Ex Rel. Radio,” our multi-part series on the False Claims Act, which will include commentary on potential pitfalls for your company, enforcement issues, and emerging trends.  Please subscribe on Apple Podcasts, SpotifyGoogle Podcasts, TuneIn, or Stitcher to listen to past podcasts and receive a notification when the first episode of the new series goes live on July 29, 2019.

Isaias “Cy” Alba, the author of this blog, is a co-chair of the Firm’s Government Contracts Group and is a member of the following practice groups: Cybersecurity & Data Privacy, Audits & Investigations, Business & Corporate Law, False Claims Act, Intellectual Property & Technology Rights, Labor & Employment, Litigation, and Small Business Programs & Advisory Services.

Please fill following information to download presentation