New England Biz Law Update
A Cambridge, Massachusetts, tech company’s recent agreement to settle a False Claims Act suit has contractors for the U.S. Department of Defense scrambling to avoid similar fates for failing to abide by the military’s strict cybersecurity standards.
The U.S. Attorney’s Office announced on March 25 that MORSECORP, Inc. had agreed to pay $4.6 million to resolve allegations that it violated the FCA by failing to comply with DOD cybersecurity requirements in contracts with the U.S Army and Air Force.
In addition, the company agreed to pay $198,616 in attorneys’ fees to Kevin Berich, the whistleblower who filed the qui tam action in U.S. District Court in January 2023.
Berich is represented by Bruce C. Judge and David W.S. Lieberman, of Whistleblower Law Collaborative in Boston.
Judge describes the agreement resolving U.S. ex rel. Berich v. MORSECORP, Inc. as a landmark settlement in the government’s efforts to police the cybersecurity obligations of military contractors.
“One of the things that made this case a challenge was that it involved a new, yet unimplemented, [enforcement] program,” says Judge, a former Department of Justice prosecutor. “[The program] had been announced by the DOJ, but we hadn’t seen a successful result.”
According to Judge, under the DOJ program launched in 2021, the FCA would be used to bring about compliance with the DOD’s cybersecurity standards.
“After many, many years of trying to bring about compliance with cybersecurity controls by a significant number of organizations in the defense-industrial base by issuing notices and alerts, the Department of Justice in consultation with DOD realized they were not getting the level of compliance that was needed, given the sensitivity of the information that was needed to be protected,” Judge says. “The big challenge here was holding the DOJ to its word while not knowing whether they would actually hold the company accountable if they found what our client says was occurring.”
After investigating the allegations made by Berich, the government formally intervened in the case on March 17, setting the stage for settlement.
Judge says he expects other defense contractors to be brought to account in a similar manner since such cases have become a top priority of the DOJ under the Trump administration.
“In the defense-industrial base, you are talking about tens of thousands, maybe hundreds of thousands of participants, who at any given time are performing contracts and subcontracts on significant defense projects,” Judge says. “This settlement is meant to be a signal to those companies that the government means it will hold companies accountable if they have misrepresented their cybersecurity.”
Acting U.S. Attorney Leah B. Foley emphasizes that point in a DOJ announcement of the Berich settlement.
“Federal contractors must fulfill their obligations to protect sensitive government information from cyber threats,” Foley says in a statement. “We will continue to hold contractors to their commitments to follow cybersecurity standards to ensure that federal agencies and taxpayers get what they paid for, and make sure that contractors who follow the rules are not at a competitive disadvantage.”
According to court records, at the time Berich filed his complaint in 2023, he worked for the defendant as head of security and facility security officer. He had joined the company in January 2021.
According to the complaint, MORSE derives virtually 100 percent of its revenues from contracts and subcontracts with the DOD.
Berich alleged in his complaint that the tech firm had made “repeated false representations” to the DOD regarding the company’s compliance with the department’s cybersecurity requirements.
“As a result of its false misrepresentations, Morse has fraudulently induced DoD to award it contracts worth tens of millions of dollars when, in fact, Morse’s failure to maintain basic cybersecurity measures made it ineligible to perform the required work,” the complaint states. “Similarly, Morse has submitted inaccurate and false cybersecurity assessment score to DoD to qualify for payment of millions of dollars from the government. In fact, Morse was never in compliance with its cybersecurity obligations … .”
According to Judge, Berich separated from MORSE on his own volition after filing his whistleblower complaint and has since found other employment in the cybersecurity sector.
Federal regulations require DOD contractors and subcontractors to provide adequate security on all covered information systems.
As part of the settlement, MORSE admitted that, from January 2018 to September 2022, it used a third-party company to host MORSE’s emails without ensuring that the service provider complied with federal requirements for cyber incident reporting, malicious software, media preservation, and cyber incident damage assessment.
The defendant also admitted that, from January 2018 to February 2023, it failed to implement all the necessary controls, exposing its IT network to significant risk from third parties as well as “exfiltration” of controlled defense information.
Moreover, the defendant admitted that it reported to the DOD false “scores” for security control compliance.
MORSE is represented by Andy Liu of Washington, D.C.
In an emailed statement, Liu writes that the settlement “was a resolution of historic False Claims Act allegations.”
He goes on to say that his client denies any wrongdoing and cooperated with the DOJ’s investigation.
“Through our history, we have always maintained the security of the government’s data, and significantly invested in robust systems and controls to ensure that there were no breaches of this data. MORSE Corp. resolved this matter to avoid the unnecessary expense and distraction of litigation and focus on serving its customers’ needs,” he writes.
