Although aerospace and aviation companies are familiar with certain harms of cyberattacks, such as ransom demands, operational slowdowns, and compromised data of employees, passengers and others, a court ruling earlier this month demonstrates that if you have contracts with the federal government, your most significant cybersecurity risk might come from within. The case – Markus v. Aerojet Rocketdyne Holdings, No. 2:15-cv-02245, 2022 WL 297093 (E.D. Cal. February 1, 2022), involves a False Claims Act suit brought by a whistleblower, a terminated employee who had served as Aerojet’s cybersecurity director. He alleges that Aerojet fraudulently induced the government to contract with it, despite the company’s knowledge that it did not comply with certain DoD and NASA cybersecurity regulations.
Under an FCA claim predicated on promissory fraud, if the contract was originally obtained through false statements, liability attaches to each claim for funds submitted to the government under the contract. Worse, among other relief, the False Claims Act provides for treble damages. In Markus, the suit seeks billions of dollars (the whistleblower would be entitled to a 15-25% share of the proceeds). At this point if you are thinking, well, nothing to worry about, we would never be accused of fraud at our company, read on …
On February 1, 2022, the fraudulent inducement claims in Markus survived summary judgment, despite the following facts: 1) Aerojet proactively addressed cybersecurity requirements by engaging an outside company to perform annual audits; 2) Aerojet disclosed to the government, prior to the award of the contracts, that Aerojet could not meet certain cybersecurity requirements; and 3) due to a prior merger, the network at issue was not fully in its control at the time of the breaches. The court, however, stated that there was evidence to suggest that Aeroject’s disclosures were incomplete and, in language familiar to aviation companies that have faced tort claims, reasoned that certain specific controls spelled out in the Defense Federal Acquisition Regulations were just a “minimum” standard, and whether Aerojet’s cybersecurity was “adequate” was an issue for the jury. Thus, Aerojet continues to face billion dollar claims in a closely watched federal case.
Adding to the difficulties faced by Aerojet, counsel for the whistleblower has a heavyweight ally – attorneys for the Civil Division of the Department of Justice representing the United States as Intervenor. This intervention is consistent with the government’s new (October 2021) Civil Cyber-Fraud Initiative. The DOJ press release announcing the initiative stated, in part:
The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
Announcing the initiative, Deputy Attorney General Lisa O. Monaco stated “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well that changes today.” On October 13, 2021, Acting Assistant Attorney General Brian M. Boynton reasoned that cybersecurity lapses deprive the government of what it bargained for. He cited examples of what would cause the government to use the False Claims Act to obtain relief, including when a contractor fails to: 1) timely report suspected breaches; 2) restrict non-U.S. citizen employees from accessing systems; 3) protect government data, or 4) avoid using components from certain foreign countries.
On October 20, 2021, Deputy Attorney General Monaco specifically encouraged whistleblowers to assist in the Civil Cyber-Fraud Initiative, stating the Initiative:
[W]ill use the False Claims Act to both enforce civil fines on government contractors and grant recipients as well as protect whistleblowers who bring information forward…. And to those who witness irresponsibility that exposes the government to cyber breaches, our message is this: if you see something, say something. We will use all of the legal authorities in our reach to make sure you are protected and compensated.
There is a risk that in the aviation industry, the Civil Cyber-Fraud Initiative will become a trap for the unwary. For example, aviation companies, unlike rail and pipeline operators, are not yet subject to industry specific federal cybersecurity directives, and might overlook the fact that if they have government contracts, they may have to implement certain specific controls and maintain an “adequate” level of cybersecurity. For air carriers, for example, the cargo or personnel carried, the operational details of the flight, the costs paid, specifics on certain aircraft modifications, or even the contract itself might be confidential.
Part of the risk, ironically, is the fact that many companies are adding personnel tasked with cybersecurity. Although this is necessary – airlines, for example, are treasure troves of confidential data ranging from their own proprietary data, passenger credit cards, passports, and other personally identifiable information (“PII”), partner/vendor data, and more – each additional cybersecurity employee is another potential whistleblower, who might decide chasing money in the court system is preferable to designing patches. All members of the aviation industry should take a pro-active stance regarding cybersecurity issues. This includes auditing your cybersecurity program and running annual drills/tabletops focusing on responding to an event.
In many respects, such planning is another aspect of emergency planning . . . if you wait until the event has occurred, you are already “behind the power curve.”