Aerospace and defense manufacturer Aerojet Rocketdyne can’t avoid claims that it falsely claimed that it was in compliance with certain federal cybersecurity requirements to win government contracts, Judge William B. Shubb of the Eastern District of California held earlier this month. The case—United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc.—appears to be the first reported decision regarding False Claims Act liability for violation of cybersecurity standards under the Federal Acquisition Regulations. Relator Brian Markus was Aerojet’s senior director of cybersecurity, compliance, and controls. Markus alleged that he discovered the company’s computer systems fell short of requirements for its NASA and Department of Defense contracts, that Aerojet knew it wasn’t compliant, that it nonetheless misrepresented its cybersecurity compliance to government officials, and that he was ultimately fired from Aerojet after he refused to sign documents saying that Aerojet was compliant with the cybersecurity requirements, and called the company’s ethics hotline about the issue. Aerojet sought dismissal of the action, arguing that the government knew it did not fully satisfy the cybersecurity regulations, the government nonetheless still contracts with the company, and that the noncompliance was immaterial. The court nonetheless denied the defendants’ motion to dismiss Markus’ primary False Claims Act count, concluding that the “relator has plausibly pled that defendants’ alleged failure to fully disclose its noncompliance [with the cybersecurity requirements] was material to the government’s decision to enter into and pay on the relevant contracts.”
May 30, 2019
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.