Qui tam whistleblower alleged that Aerojet Rocketdyne misled the government regarding its compliance with cybersecurity standards
Defense contractor Aerojet Rocketdyne (NYSE: AJRD) has agreed to pay $9 million to settle allegations it violated the False Claims Act by falsely certifying its compliance with federal cybersecurity requirements in connection with multiple procurement contracts with the Department of Defense (DOD) and the National Aeronautics and Space Administration (NASA). The qui tam relator whose whistleblower complaint exposed the alleged fraud will receive a whistleblower award of $2.61 million.
Critical Cybersecurity Deficiencies
Aerojet manufactures aerospace and defense products, including systems and components for precision munitions and satellites. Its main customers are U.S. government agencies like the DOD and NASA.
U.S. government defense procurement contracts require that federal contractors adhere to certain cybersecurity standards designed to prevent unauthorized access and disclosure of controlled or sensitive information stored on the contractor’s computer system. Those standards are mandated by regulation and incorporated into the contracts.
The Aerojet qui tam whistleblower—a former director of cybersecurity compliance & controls at the company—alleged that Aerojet provided defense products to the government under multiple contracts and subcontracts despite knowing that its computer systems did not meet DOD and NASA cybersecurity requirements. According to the complaint, Aerojet falsely certified its compliance to secure the contracts and, when asked by the government, misled it as to the cybersecurity software and hardware that it had on its systems. Contrary to its certifications and statements, however, Aerojet’s systems were noncompliant, deficient, and vulnerable to cyberattack.
The whistleblower alleged that he brought the cybersecurity noncompliance issues to the attention of management. Nevertheless, the company failed to provide him with the resources necessary to correct the deficiencies. Instead, it fired him in retaliation for refusing to execute false certifications of compliance to the government. The whistleblower also alleged that Aerojet management concealed the cybersecurity issues from its board of directors.
Violations of the False Claims Act Based on False Cybersecurity-compliance Certifications
Although False Claims Act lawsuits involving fraud by government contractors are common, the Aerojet case is the first known instance of a settled False Claims Act lawsuit based on contractor’s cybersecurity compliance. In refusing to dismiss the whistleblower’s complaint, the court found that Aerojet’s false certifications of compliance were material to the government’s decision to contract with Aerojet and to pay its invoices, which constituted “false claims” for payment under the False Claims Act.
Notably, the Department of Justice (DOJ) recently launched a Civil Cyber-Fraud Initiative to encourage whistleblowers to come forward with cybersecurity-related False Claims Act lawsuits involving deficiencies that threaten to leave government information or networks open to breaches or hacker attacks. The DOJ is also on the lookout for contractors that are knowingly violating their obligations to monitor and report cybersecurity breaches or attacks.
Fighting Fraud on the Public
Congress originally enacted the False Claims Act during the Civil War to combat fraud by contractors supplying the Union Army. The statute imposes substantial liabilities on parties who knowingly defraud the federal government or its agencies. Its qui tam (whistleblower) provisions allow private parties to sue wrongdoers and share in the proceeds. If a claim is successful, qui tam whistleblowers under the False Claims Act receive awards of 15-30% of the recovery.
If you have information regarding noncompliant cybersecurity practices by a government contractor, be sure to confer with an experienced whistleblower attorney to discuss the specifics of your matter and the likelihood of asserting a successful whistleblower claim. With cyberattacks on the rise and the federal government increasingly vigilant about cyberthreats, cybersecurity-related whistleblower lawsuits under the False Claims Act are likely to become a priority for the government. Reach out to federal procurement whistleblower attorney Mark A. Strauss for a free and confidential consultation.