When Just Checking The Box May Lead To Contract Fraud
The attached article discusses an interesting case brewing in California regarding the False Claims Act. In a nut shell there was an aerospace company that was bidding on a government contract. As required by DoD policy the company had to state it was compliant with DoD cybersecurity regulations. The company’s senior director of cybersecurity refused to sign a statement saying that the company was compliant. He was then fired. The company was awarded the contract and began providing rockets to the government.
The employee not only sued for wrongful termination, but also sued under the False Claims Act, saying that the company “defraud[ed] the U.S. government under the False Claims Act by submitting and conspiring to submit false certifications that the company was compliant with… federal cybersecurity requirements.” Whoa! Really? To level set here the False Claims Act has historically been used when a company has defrauded the government out of money. To have a former employee assert that the company acted fraudulently by checking that box that says “sure we are compliant” is new and exciting (only to attorneys) area.
This brings a whole new dimension to government regulations and government contractors. If successful, the precedent can be set that if a company certifies compliance with cybersecurity regulations and there is “fudging” going on, they could be found to have committed fraud. It also opens the flood gate for plenty of litigation concerning what “knowingly” means, however, the concept of intent is always an issue in litigation. Whatever the result of the case, government contractors, need to take heed that the days of self-certification, i.e. checking the box, may be coming to an end.