As the DOJ's Civil Cyber-Fraud Initiative gains steam, civil prosecutors and whistleblowers have set their sights on universities and colleges with a close eye on cybersecurity compliance.
As a refresher, Deputy Attorney General Lisa Monaco announced the launch of the DOJ's Civil Cyber-Fraud Initiative in October 2021. Utilizing the False Claims Act (FCA)1 as a substantive predicate, the Initiative aims to target government contractors and grant recipients that (1) knowingly misrepresent their cybersecurity practices or protocols, (2) knowingly violate monitoring or reporting obligations or (3) knowingly provide deficient cybersecurity products or services.2 Higher education institutions – commonly recipients of federal research grants and government contracts – now face greater scrutiny to ensure compliance with quickly evolving cybersecurity obligations that go well beyond cyber incident disclosure. With significant enforcement activity accelerating earlier this year, two universities recently have been publicly targeted for enforcement activity, with likely more to follow.
Most recently, in August 2024, the DOJ joined its first whistleblower lawsuit under the Initiative, filing a complaint-in-intervention alleging that Georgia Tech violated the FCA by failing to comply with cybersecurity requirements contained in its Department of Defense (DoD) contracts. The DOJ alleges that Georgia Tech and its research lab failed to develop a system security plan, failed to use antivirus software on devices that had access to sensitive information and submitted a false cybersecurity assessment score to the Government.3 The DOJ also noted that universities are prime targets for cyberattacks by foreign adversaries, emphasizing the need for cybersecurity compliance in our higher education schools.4
Similarly, a whistleblower lawsuit against Penn State University was unsealed in September 2023, alleging that the school violated the FCA by falsely certifying compliance with DoD cybersecurity regulations (DFARS 252.204-7012).5 The regulations required implementation of and compliance with cybersecurity guidelines (NIST 800-171), such as conducting a risk assessment, which Penn State allegedly did not perform.
Universities with health care systems and academic hospitals also face a potential risk of DOJ enforcement involving electronic medical record (EMR or EHR) systems and protected health information. For example, the DOJ entered into a $930,000 settlement related to securing medical records in an EMR system6 and a $293,771 settlement related to securing personal information on a federally funded health insurance website.7 Although these settlements did not involve universities, the DOJ commented that it would “use every available tool to protect Americans' health care data.”
Beyond addressing cybersecurity incidents, these recent cases illustrate that the DOJ is now seeking to penalize mere noncompliance with cybersecurity programmatic requirements, even where no cyber incident occurs. Universities and colleges should be vigilant to ensure they are in full compliance with all data security obligations related to federal grants, government contracts and protected health information.
Footnotes
1. 31 U.S.C. § 1379, et seq.
2. Office of Public Affairs, “Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative,” available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
3. Office of Public Affairs, “United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations,” available at https://www.justice.gov/opa/pr/united-states-files-suit-against-georgia-institute-technology-and-georgia-tech-research.
4. United States ex rel. Craig v. Georgia Tech Research Corp., et al., No. 1:22-cv-02698-JPB, Doc. 23 (N.D. Ga. Aug. 22, 2024).
5. United States ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895-PD, Doc. 8 (E.D. Penn. Jan. 17, 2023).
6. Office of Public Affairs, “Medical Services Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan,” available at https://www.justice.gov/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical.
7. Office of Public Affairs, “Jelly Bean Communications Design and its Manager Settle False Claims Act Liability for Cybersecurity Failures on Florida Medicaid Enrollment Website,” available at https://www.justice.gov/opa/pr/jelly-bean-communications-design-and-its-manager-settle-false-claims-act-liability.
