US government contractor Aerojet Rocketdyne has paid a $9m settlement after allegations that it misrepresented its compliance with US government security requirements.
The El Segundo, California, company violated the False Claims Act, according to allegations by former employee Brian Markus.
Aerodyne is a rocket contractor that numbers the Department of Defense and NASA among its government customers. Markus, a former senior director of cybersecurity at Aerojet, alleged that the company failed to protect unclassified information as part of its government contracts. He asserted that it lied about its cybersecurity policies to win more contracts, adding that it had experienced data breaches in 2014 and 2015.
Markus had filed the claim under the Department of Justice’s False Claims Act Civil Cyber Defense Initiative, launched in October last year. The initiative targets those who put US information systems at risk by knowingly misrepresenting their cybersecurity protocols. It also seeks out those who knowingly offer deficient cybersecurity products and services or fail to report data breaches.
This was the first case in which a former employee attempted to bring action on a government’s behalf for alleged cybersecurity fraud. Although the government declined to intervene, Aerojet Rocketdyne failed to get the case dismissed. It agreed to settle on the second day of its jury trial on April 27 this year. However, the settlement is not an admission of liability.
Markus filed the lawsuit under the False Claims Act’s whistleblower provisions, which typically awards the plaintiff up to 30% of the damages. He had originally sought a minimum of $2.6bn from his former employer, representing the value of Aerodyne’s US government contracts between 2013 and 2015. He gets $2.1m of the settlement payment.