On August 22, the United States filed its complaint-in-intervention (Complaint) against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC, collectively, defendants), asserting claims that the defendants knowingly failed to meet cybersecurity requirements in connection with certain Department of Defense (DoD) contracts in violation of the False Claims Act.
The government’s Complaint – the first filed in connection with its Civil Cyber-Security Initiative – highlights the government’s increasing scrutiny of cybersecurity compliance and offers several noteworthy takeaways for government contractors.
The Government’s Allegations
The United States’ Complaint alleges that the defendants knowingly induced the DoD to enter into and retain contracts under the false pretense that they would comply with applicable cybersecurity regulations and that they had provided the DoD with accurate security assessment scores for the relevant laboratories. According to the U.S. Department of Justice (DOJ), the defendants were not eligible for these contracts, which granted them access to certain nonpublic defense information, because they failed to abide by the applicable cybersecurity requirements set out in the Defense Federal Acquisition Regulation Supplement (DFARS).
Specifically, the Complaint alleges that, after beginning work on a contract in 2016, Georgia Tech failed to develop and implement a required system cybersecurity plan until February 2020, four years after beginning work under the contract. Under DFARS, contractors who handle nonpublic defense information are required to have cybersecurity plans. DOJ alleges, however, that even when the defendants finally instituted such a plan in February 2020, the plan was incomplete because it failed to account for most of the computers in the relevant lab. The Complaint also alleges that Georgia Tech failed to install appropriate antivirus or antimalware tools on computers and networking equipment as required by DFARS until December 2021. Finally, DOJ alleges that the defendants submitted a false cybersecurity assessment score to DoD in 2020. The score is meant to reflect compliance with cybersecurity standards for systems used to store sensitive defense information, but instead of accurately calculating a score for the relevant lab, the university provided a misleading score for a “fictitious” virtual campus-wide environment.
The Complaint notably contains no allegations that any sensitive defense information was exposed or compromised due to the failures. Still, the government generally alleges that Georgia Tech fostered a lax culture of security and would compromise on cybersecurity requirements to accommodate star researchers when they pushed back on requirements they found burdensome because those researchers brought in money from government contracts.
According to the Complaint, Georgia Tech has entered into more than $1.6 billion in government contracts since 2019. The Complaint focuses on two of those contracts under which Georgia Tech invoiced $21.8 million and $9.28 million, respectively. Under the False Claims Act’s treble damages and civil penalty provisions, Georgia Tech could face more than $90 million in damages and penalties.
Key Takeaways
There are a few interesting things to highlight here. First, The United States’ intervention here demonstrates its sustained prioritization of the Civil Cyber-Fraud Initiative. Second, the mere existence of a False Claims Act qui tam lawsuit also demonstrates that the DOJ’s strategy of announcing its focus on cybersecurity in an effort to attract whistleblowers is working—whistleblowers are beginning to come forward with qui tam complaints in this space. To the extent that your company contracts with the government and makes statements to the government regarding the company’s compliance with certain cybersecurity standards, you should take appropriate steps to ensure that those statements/certifications are accurate. Likewise, when a company is made aware of a potential violation of those standards, it should consider whether self-disclosure would be appropriate and/or advisable.
Finally, although it appears no sensitive defense information was exposed, we will be interested to read arguments on both sides as to whether the defendants’ compliance with these cybersecurity standards was truly material to payment and whether the government was aware of these failures yet continued to pay and enter into these agreements. Government knowledge and materiality continue to be an area of exposure for the government as it litigates these cases, and we would be surprised if the government did not face some exposure on those issues here as well.
In other words, stay tuned!
If you have any questions about the case or cybersecurity enforcement under the False Claims Act, please contact the authors.