Another False Claims Act Settlement with a Defense Contractor
For those of you not familiar with the False Claims Act or FCA, it is a Civil War Era law that the government uses to recover billions of dollars every year from contractors who lie to Uncle about something. In our case, it is going to be lying about their cybersecurity practices.
In 2021 the DoJ stood up a new initiative, the Civil Cyber Fraud Initiative to go after cyber liars. This means vendors to the government who lie about their cybersecurity practices.
While they go after the big companies like Cisco and Aerojet Rocketdyne, they also go after small, unheard of companies.
While we don’t know how many cases they are currently investigating, we think it is between dozens and a hundred or more. Every now and then one pops out, as it did last week.
In recent history Cisco paid a $10 million fine and Aerojet paid $9 million.
This week’s addition to the club is MORSECorp. MORSE stands for Mission Oriented Rapid Solution Engineering and, it appears, over the last 5 years or so the company held around $50-$75 million in defense contracts.
One key part of the FCA is that private citizens can bring suits on behalf of the government and that is how this one started.
The DoD has strong security requirements and, according to the settlement, MORSE didn’t think those applied to them. They used cloud services that did not meet the DoD security requirements for controlled unclassified information, did not have an appropriate system security plan and posted a false security score to the government’s security score tracking system, SPRS.
When their former employee (the one that sued them) pointed out the false score, they ignored him. Eventually he left and in 2022, he sued them. As the law allows, the government took over the case and this past week the company agreed to pay a $4.6 million fine, pay accrued interest and pay the former employee’s legal fees.
Also, another feature of FCA is that the whistleblower gets a percentage of the settlement. In this case, that would be 18.5 percent or a bit over $800,000.00. At the government’s discretion, his share could have been as much as 30 percent. He was represented by a law firm whose entire practice is dedicated to these types of cases and there are a number of these firms.
This is a relatively small company with around 150 employees and writing a check like that probably is not easy.
Other FCA cyber suits in the news include one against the University of Pennsylvania that recently settled and one against Georgia Tech that is in the middle of litigation.
One thing that MORSECorp did that the government did not like is they lied about their security score in SPRS. They said, for years, that they had a near perfect score of 104. According to the DoJ, their actual score was negative 142 (the score ranges from 110 to -203). After the DoJ started investigating they decided to correct their score and after several years they did get their score up to what they claimed back in 2018. That does not get them off the hook for the crime, however.
The DoJ also settled at the same time with Evolutions Flooring Inc., a California wood flooring importer who knowingly evaded customs duties on imports of wood flooring from China. That cost them $8.1 million. As you can see, it is not all cyber, it is fraud in general. Note that in neither case was a cyber breach involved. Or DOGE. Over the last decade, the DoJ has recovered tens of billions of dollars with this law.
Details at: DoJ, The Cyber Express, Whistleblower LLC Law Firm,
by 