The DOJ's Complaint Also Emphasizes Its Expectation That Contractors and Grantees Implement Appropriate Cybersecurity Measures
By filing a Complaint-In-Intervention against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC) alleging that defendants knowingly failed to meet cybersecurity requirements in connection with Department of Defense contractual obligations, the U.S. Department of Justice (DOJ) signaled that it will continue to ramp up enforcement efforts as part of its Civil Cyber Fraud Initiative.
The DOJ's 99-page complaint, filed on August 22, serves as the government's first intervention in a cybersecurity related False Claims Act (FCA) case since the DOJ unveiled the Civil Cyber Fraud Initiative in October 2021. In other instances, the DOJ has reached settlements with contractors or grant recipients accused of violating certain cybersecurity protocols while the FCA cases against them remained under seal, or the DOJ has opted not to intervene in cases brought by whistleblowers.
The DOJ's approach in the Georgia Tech case differs—and likely will provide significant insight regarding the DOJ's future enforcement priorities in the universe of cybersecurity compliance.
This case began in July 2022 when two whistleblowers (senior members of Georgia Tech's cybersecurity division) filed an FCA action against Georgia Tech and GTRC, alleging that both defendants failed to follow proper protocols for processing and storing controlled unclassified information in connection with U.S. Department of Defense (DoD) contracts. See United States ex rel. Craig v. Georgia Tech Research Corporation, No. 1:22-cv-02698 (N.D. Ga.). Following an investigation, the DOJ intervened in February 2024, leading to the filing of its complaint-in-intervention on August 22.
Allegations in the DOJ's Complaint
The DOJ's complaint-in-intervention alleges that, contrary to the requirements of their DoD contracts, Georgia Tech and GTRC failed to:
- develop and implement a system security plan until February 2020, even though such security controls are mandated by DoD cybersecurity regulations;
- implement a comprehensive security plan that included all covered devices and equipment, even after the system security plan was developed in February 2020; and
- install, update, or run anti-virus or anti-malware tools on its devices and networks until December 2021.
Additionally, the DOJ's complaint alleges that Georgia Tech and GTRC created and submitted a false cybersecurity assessment score for the Georgia Tech campus for the purpose of inducing DoD to enter into and retain contracts with them. Instead of utilizing DoD's prescribed assessment methodology to assess how their systems actually process, store, and transmit sensitive DoD data, Georgia Tech and GTRC allegedly provided DoD with an assessment score for a "fictitious" or "virtual" campus-wide IT system. The complaint alleges that the defendants provided a "false" score of 98 (out of a 110-point scale).
Anticipated Next Steps
Although universities and other entities often settle FCA lawsuits brought by the DOJ, Georgia Tech asserted in a press release that it plans to "vigorously dispute" the DOJ's allegations in court. It contends that the lawsuit "has nothing to do with confidential information or protected government secrets" and that DoD "told Georgia Tech that it was conducting research that did not require cybersecurity restrictions."
If the case eventually moves toward a settlement, it remains unclear how the government will assess damages. The DOJ's Complaint identifies that payments made by the government under the DoD contracts totaled more than $19 million. Of course, because the False Claims Act allows for treble damages, total damages can be assessed at three times the amount of damages sustained by the government. Between treble damages and other associated penalties, the defendant in an FCA case faces considerable potential exposure and financial risk.
DOJ's Ongoing Emphasis on Cybersecurity as an Enforcement Priority
The DOJ's intervention in this case demonstrates that federal contractors and grant recipients must be increasingly vigilant to ensure compliance with cybersecurity requirements. Even in the absence of any cybersecurity breach or other data security incident, the DOJ may pursue enforcement action if it believes that a contractor or grantee has failed to implement appropriate cybersecurity measures or has failed to follow security controls mandated by cybersecurity regulations.
Entities must carefully review their contracts and grants to identify any express or implied conditions relating to cybersecurity. If, as Georgia Tech alleges happened here, the federal government represents that a particular project does not require cybersecurity restrictions, the entity should also preserve records of those representations—and check that the representation does not contradict the terms of the contract or grant.
Once the United States formally serves a copy of its complaint, Georgia Tech and GTRC have 20 days to submit a response. See 31 U.S.C. § 3730(b)(3). That response will shed additional light on the federal contracts at issue and defendants' rationale for asserting that the contracts were exempt from federal cybersecurity requirements. If the parties continue to litigate the case rather than reaching a settlement, the case also has significant potential to shape future DOJ enforcement actions and provide guidance on how to determine if a particular project is subject to federal cybersecurity requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.