False Claims Act and Cybersecurity, Part II

Earlier this week we reviewed the case of a medical device company fined nearly $10 million under the False Claims Act for poor cybersecurity practices. Now let’s look at another example of the issue, because we have a second recent False Claims Act enforcement action for poor cybersecurity that had considerably different circumstances and outcome.

The case involves Aero Turbine Inc., a small-ish company in California that provides maintenance and repair services to the U.S. Airforce. Aero Turbine settled False Claims Act charges with the Justice Department last week, agreeing to pay $1.75 million over allegations that Aero Turbine certified its compliance with certain federal cybersecurity standards when in fact that wasn’t the case. (Also settling was Aero Turbine’s then-owner, private equity firm Gallant Capital Partners; although Gallant sold Aero Turbine to a larger aerospace holding company in 2024.) 

So what happened? As outlined in the settlement, Aero Turbine won a defense contract in 2017 to provide maintenance services to the Air Force for jet engine components. The project required Aero Turbine to operate an IT system that handled “controlled, unclassified information” (CUI), such as sensitive contract details or personal data of government employees. Key detail: government contracting rules require that any defense contractor handling CUI comply with a cybersecurity standard known as NIST 800-171, which governs how CUI is protected. 

Long story short, Aero Turbine believed it was in compliance with NIST 800-171 (and certified as such) because it assumed that its system of export controls to protect technical data was sufficient to meet the cybersecurity control requirements of 800-171 — but that assumption was incorrect, and Aero Turbine never verified its cybersecurity compliance posture to uncover that error. 

So from 2018 into 2020, Aero Turbine was incorrectly certifying its compliance with NIST cybersecurity standards. Even worse, for six weeks in 2019, the CUI on Aero Turbine’s IT system was exposed to a subcontractor who used personnel in Egypt, which was a security violation.

Aero Turbine’s Compliance Response

The good news is that at some point in the early 2020s, Aero Turbine realized the error of its ways. The company self-reported its violation, and then cooperated with the Justice Department in the ensuing investigation. That cooperation included identifying individuals involved in or responsible for the issues, and disclosing facts gathered during an independent investigation, attributing those  facts to specific sources. 

Then, after identifying its control mistakes, Aero implemented mechanisms to remediate the errors and to prevent repeat occurrences in the future. 

In other words, Aero Turbine hit all its marks for the Justice Department’s Corporate Enforcement Policy: voluntary self-disclosure, cooperation, and remediation. Yes, the company must pay $1.75 million in restitution and other penalties (against what was a $4.7 million contract in its first year), but overall this case unfolded in exactly the way that regulators want to see. 

“Every defense contractor must provide adequate security to safeguard covered defense information,” acting U.S. attorney Kimberly Sanchez (for the Eastern District of California) said in a statement. “We commend Aero Turbine and Gallant for disclosing the issue and promptly cooperating to address it. We encourage others to follow their example of self-reporting to resolve violations.”

More on False Claims Act and Cybersecurity

What makes this case intriguing is its fellow traveler in False Claims Act enforcement: Illumina Corp., which paid $9.8 million to settle its own False Claims Act charges over poor cybersecurity on the very same day (July 31). 

The Illumina case expanded the realm of False Claims Act enforcement for cybersecurity because (a) it was the first cybersecurity-related case brought against a medical device manufacturer; and (b) the offenses alleged against Illumina were more about poor product design and poor cybersecurity risk management.

That’s all new. In contrast, the case against Aero Turbine is not new; we’ve seen numerous False Claims Act cases against defense contractors that erroneously certified their compliance with NIST cybersecurity standards. But the Aero Turbine case does remind us of what internal control teams should be thinking about.

The passage from the Aero Turbine settlement that jumped out to me was this:

[Aero Turbine] had assumed that its implementation of export controls to protect technical data was sufficient to meet its cybersecurity obligations under the contract, but neither [Aero Turbine] nor Gallant had verified whether [Aero Turbine] met the specific cybersecurity controls in NIST SP 800-171” for the IT system that Aero Turbine operated. 

So whenever we see an enforcement action that mentions insufficient or inadequate personnel — this is what that looks like in practice. Aero Turbine believed that its export control system could pull double-duty as a NIST-compliant cybersecurity system, and that judgment was wrong. 

Companies need robust personnel and tools to avoid such mistakes: tools that can map your controls to your regulatory obligations and the frameworks you use, whether those frameworks are NIST cybersecurity standards or export control regimes or COSO frameworks for internal control over financial reporting — or, most likely, all three of those frameworks, and more.

Only then, with a clear and correct understanding of the gaps and overlaps in your internal control system, can you start filling in gaps with effective remediation. 

So, good for Aero Turbine for doing everything right after it realized its mistake. The question for the rest of us is how you put the right talent and tools in place to avoid such mistakes from the start.