On August 22, 2024, the United States Department of Justice (“DOJ”) filed a complaint-in-intervention in a whistleblower lawsuit brought against Georgia Institute of Technology (“Georgia Tech”) and Georgia Tech Research Corporation (“GTRC”) asserting claims under the False Claims Act (“FCA”) and federal common law based on allegations that Georgia Tech and GTRC failed to meet cybersecurity requirements mandated by U.S. Department of Defense (“DoD”) contracts and DoD regulations.

In United States ex rel. Craig v. Georgia Tech Research Corp, et al., which is pending in the United States District Court for the Northern District of Georgia, the DOJ alleges that, from as early as May 2019, Georgia Tech and GTRC, an affiliate of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech, failed to enforce cybersecurity regulations in order to allegedly “accommodate ‘researchers [who were] pushing back’ on cybersecurity compliance because they found it burdensome.” The complaint-in-intervention further alleges that, until at least February 2020, “Georgia Tech failed to enforce basic cybersecurity at the Astrolavos Lab” despite the lab possessing “nonpublic and sensitive DoD information.” It is also alleged that, even after Astrolavos Lab implemented a system security plan, Georgia Tech and GTRC “failed to: (1) assess the system on which the Astrolavos Lab processed, stored or transmitted sensitive DoD data using DoD’s prescribed assessment methodology; and (2) provide to DoD an accurate summary level score for Astrolavos Lab to demonstrate the state of the lab’s compliance with applicable cybersecurity regulations.” The submission of a summary level score is a “condition of contract” for most DoD contracts.

The whistleblower suit was originally filed on July 8, 2022 by current and former members of Georgia Tech’s Cybersecurity team under the qui tam or whistleblower provisions of the FCA. Under the FCA, private parties may file suit on behalf of the United States for false claims and receive a share of any recovery. On February 19, 2024, the DOJ, pursuant to the FCA, filed a Notice of Election to Intervene. As set forth above, the DOJ subsequently filed its complaint-in-intervention on August 22, 2024. Georgia Tech and GTRC are currently scheduled to file by October 21, 2024 a motion to dismiss the complaint-in-intervention.

Takeaways

This marks the first lawsuit the DOJ has litigated under its Civil Cyber-Fraud Initiative. The stated goal of the Civil Cyber-Fraud Initiative, is to utilize the FCA to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” The Civil Cyber-Fraud Initiative has sought to take action against not only federal government contractors, but also state government contractors.

In light of the DOJ’s pending litigation against Georgia Tech and GTRC, government contractors at both the federal and state level should review their cybersecurity obligations under both government contracts and applicable federal and state law, assess whether their current cybersecurity practices align with all contractual and legal requirements and, if necessary, make adjustments to obtain and maintain compliance with cybersecurity obligations.