July 12, 2022. The Department of Justice has announced the final settlement in the Aerojet Rocketdyne cyber-fraud False Claims Act case, including a relator payday of $2.61 million. Under the terms of the settlement, the rocket propulsion and power systems manufacturer paid $9 million to settle allegations of cyber-fraud.  The whistleblower was a former senior director of cybersecurity, compliance, and controls of Aerojet Rocketdyne.  For the information he provided, the whistleblower received approximately 29% or $2.61 million of the settlement.

As an executive with insider knowledge of the company’s conduct related to cybersecurity controls in government contracts, the whistleblower or relator was well-positioned to notice that something was amiss. Relator alleged that the propulsion systems contractor misrepresented the extent to which it complied with the cybersecurity requirements of its contracts with the Air Force, Army, Missile Defense Agency, and prime contractors. The United States declined to intervene in the qui tam lawsuit that Relator filed, but he pursued the case. The case became noteworthy in 2019 when a U.S. District Judge allowed the case to proceed because the contractor’s “compliance with the relevant rules for safeguarding information was material to the government’s decision to pay Aerojet for its allegedly false claims.”

Government contractors have an obligation to comply with the cybersecurity requirements set forth in the contracts on which they bid.  Moreover, businesses contracting with the government must also honestly represent their capabilities to comply with cybersecurity requirements, which was one of the main issues in this case. Cyber-fraud is harmful to government agencies and the taxpayers funding them, as inadequate cybersecurity can compromise sensitive personal information and information pertinent to national security.  The government pays private contractors to keep sensitive data secure with taxpayer funds.  According to the FBI’s 2021 Internet Crime Report, total losses of $6.9 billion were reported in 2021.  While this report represents general internet crime (data breach, phishing scams, identity theft, non-payment/non-delivery, and similar scams), it is the closest number available to report on for the impact of cyber-crime and why cyber-fraud is potentially extremely costly.  If cyber-fraud involves a government contractor, that is money out of the pocket of taxpayers.

The U.S. Attorney for the Eastern District of California emphasized the need for whistleblowers to report cyber-fraud: “The qui tam action brought by [the whistleblower] is an example of how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act.”

The Department of Justice needs whistleblowers to report fraud involving companies misrepresenting their cybersecurity capabilities in order to win government contracts.  Its 2021 Civil Cyber-Fraud Initiative encourages whistleblowers similar to this Relator to come forward and report fraud in order to protect government agencies, private data, and taxpayer dollars.