Materiality of Cyber Defect Questionable When Agencies Could Have Worked with Vendor to Address It; U.S. District Court for the District of Columbia No. No. 15-cv-608 (TFH), U.S. ex rel. Phillip M. Adams v. Dell Computer Corporation et al.

29

The district court granted Dell Computer’s motion to dismiss a qui tam complaint alleging it falsely certified the security of various computer systems sold to the federal government despite its knowledge of a serious defect. The court found the relator plausibly alleged the existence of a flaw that could be exploited by an outside actor, and that the defendant was presumably required to provide defect-free products to the government. The court also found the relator satisfied the particularity requirement, even though he did not identify specific false claims, because he had cited the products, vendors, and contracts involved. However, the court found the relator had not demonstrated that the alleged defect was material. While federal agencies operate under several mandates requiring them to protect the integrity of their computer systems, the court found no evidence those mandates had flowed down to Dell. Further, the mandates require agencies to mitigate vulnerabilities, not to ensure that computer systems have no flaws whatsoever, and therefore the court found it plausible that agencies would have purchased the computers had they known of the existence of the defect, and simply worked with the defendants to address it. Finally, the court found the relator had not demonstrated the defendants had knowledge of the flaw or that the flaw rendered its security certifications false. In his complaint, the relator described the difficulty he experienced identifying the defect, yet also alleged that Dell employees had to be aware of it. Because the relator did not resolve this contradiction, the court found he could not show Dell employees necessarily knew of the flaw.

Relator Phillip Adams filed a qui tam lawsuit alleging that Dell Computer Corporation and its subsidiaries and affiliates violated the False Claims Act by knowingly selling hundreds of millions of dollars of computer systems to the United States government that contained undisclosed security vulnerabilities. The defendants moved to dismiss.

In his complaint, Adams alleged that he conducted an independent investigation into the existence of cybersecurity vulnerabilities in Dell computers sold to the United States. According to Adams, the vulnerabilities included hardware trojan horses that would allow a malicious actor to control the system from the outside or that might be triggered unknowingly by an authorized user with the same effect of denying use of the system.

Specifically, the relator alleged that the affected computer systems included system control chips that included legacy functions, which the United States government did not want or need the system control chip to contain. For example, the control chip might contain programming that recognizes and operates a floppy disk drive, which are not incorporated into most modern computers. According to the relator, that computer code is accessible and functional, even though there is not floppy disk drive to control, and this unused but available coding can permit the computer to be controlled by an outside actor.

In his complaint, Adams alleged Dell presented false claims for payment and made false statements to induce the government to make those payments. He also alleged Dell made overt and implied false certifications.

First, the court found the complaint did not assert that Dell made any false statements, but rather relied on allegations of false certifications. Absent evidence of any statements made by any of the Dell defendants, the court dismissed this claim.

In his claim of false or fraudulent certification, the relator alleged Dell certified that the items sold to the government were as described in the contract; that they were free from defects; that they were fit for the use described in the contract and were fully functional and would operate as intended; that they complied with the Department of Defense Counterfeit Prevention regulation; that they conformed to the minimum security requirements of the Federal Standards Program; that they included internal components that directly support the provided platforms; and that they conformed to the representations of Dell concerning performance, configuration, design, and functional characteristics.

According to the relator, the existence of the hardware trojan rendered each of these certifications false. In response, Dell argued the relator failed to state a claim. Even assuming that the computers did include the hardware trojan as the relator alleged, Dell argued the relator did not demonstrate that the existence of this alleged flaw rendered any of the certifications false.

However, the court also had to assume the alleged facts were true, and therefore found the relator had asserted the existence of a defect in Dell’s computers and that Dell was required to provide defect-free computers to the government.

Next, the defendant argued the relator had not pled his allegations with particularity. The relator alleged that any of the contracts between the Dell entities and government agencies which involved the purchase of any of the affected computer systems contained the false certifications and resulted in the payment of a false claim. In response, the defendants argued that merely listing the contracts is not sufficient under Rule 9(b) to provide them with the ability to adequately challenge the amended complaint. However, the court noted that the D.C. Circuit Court has held that a relator need not plead representative samples of claims actually submitted to the government in order to satisfy the particularity requirement. The court found it sufficient that the relator had identified the contracts, the relevant Dell entity that entered into the contract, and the specific computer systems purchased by the government.

Next the court considered whether the alleged false certifications were material to the government’s decision to pay. The relator argued the existence of the hardware trojan is material, because the agencies that acquired Dell’s computers are under a mandate to assure the cybersecurity of their systems and their contractors’ systems. Because the alleged defect creates serious risk that a computer system could be rendered inoperable, the relator argued the agencies would not have purchased these systems had they known of the defect.

In response, Dell argued that the mere existence of a criteria that the systems be secure does not establish that the requirement was material, even if federal agencies are concerned about the cybersecurity of the systems they purchase.

The court sided with the defendants. While the court found it plausible the agencies might have decided not to purchase Dell computers had they known of the existence of the hardware trojan, it also held that an entitlement to refuse the product based on a violation of a contractual requirement is not always material. Further, the court found the relator did not allege that Dell was required to comply with any of the cited federal technology policies or that the contracts at issue mandated such compliance. Instead, he merely argued that because agencies are expected to comply with security policies, these requirements would have been passed along to Dell.

However, the court found that these policies—even if they were passed down to Dell—did not require products to be free of defects, but require agencies to limit vulnerabilities and correct them when detected. The court found it plausible that Dell could comply with the policies by providing a computer system with limited vulnerabilities and providing the necessary assistance to eliminate or reduce vulnerabilities as they appear. Therefore, the court found that the existence of a single defect as alleged by the relator would not necessarily be material to the government’s decision to buy Dell’s computers or pay their invoices.

The court also found the complaint did not sufficient allege knowledge. On the one hand, the relator alleged that Dell would have been aware of the existence of the system defect, given its familiarity with their own computers. However, he also alleged that he identified the hardware trojan through his independent investigation and development of unique methods and tools. In fact, in his response to the motion to dismiss, the relator explained that it is difficult to detect and correct hardware trojans and that he did so “against all odds.” The court found itself unable to resolve the discrepancy between the difficulty described by the relator in identifying the defect and his allegation that Dell employees must have been aware of it. The court found he could not plausibly allege Dell had knowledge of the issue, given these contradictions. Further, even if the relator could show that Dell employees had knowledge of the undocumented programmable functions, the court found he had not alleged that any Dell employees had reason to believe those functions violated a material provision in the agreement with the government agencies.

FCA - Adams v Dell