As reported in our August 2024 client alert, earlier this year the U.S. Department of Justice (DOJ) intervened in a False Claims Act (FCA) matter initiated by two whistleblowers, alleging that Georgia Tech Research Corporation and the Georgia Institute of Technology (Georgia Tech) violated various cybersecurity requirements that are part of Department of Defense (DoD) contracts. The DOJ’s intervention was another data point showing prosecutors’ deep interest in pursuing cybersecurity-related fraud.

The Complaint

On August 22, 2024, the DOJ filed its 99-page complaint in the Georgia Tech case, reflecting the results of a thorough pre-suit investigation. In that pleading, the DOJ quotes extensively from internal emails, internal instant messages, other communications, and testimony to allege that the defendants violated federal cybersecurity rules and regulations applicable to the institutions as government contractors. Further, this documentation supports the DOJ’s allegations that the defendants knew or were reckless in not knowing that they did not comply with those rules and regulations.

For example, the DOJ alleges that one former employee testified that, for a substantial period of time, there was “no enforcement” of the applicable cybersecurity requirements. In another example, the DOJ cited extensive instant messages where employees recognized non-compliance with cybersecurity requirements. Elsewhere, the DOJ alleges that the defendants created a “culture of cybersecurity noncompliance,” rendering multiple years’ worth of claims false. The DOJ seeks damages of approximately US$30 million, based on the amounts billed to the government, and that figure is before application of the FCA’s treble damages provision and per-claim fees.

Takeaways

The DOJ’s complaint yields the following important takeaways:

• The detailed allegations spanning nearly 100 pages reflect the results of what appears to have been a thorough investigation. This shows the diligence with which the DOJ is pursuing these matters as part of its Civil Cyber-Fraud Initiative, launched in 2021.
• The government’s review of various data repositories—such as emails, instant messages, PowerPoint presentations, and other materials—shows the lengths that the government will go to investigate and pursue its allegations. Accordingly, companies should be mindful of having appropriate communication and document retention policies.
• Although the DOJ does not allege that any of the sensitive information was in fact compromised, it maintains that the DoD “paid for military technology . . . stored in an environment that was not secure from unauthorized disclosure.” The DOJ further alleges, “What the DoD received for its funds was of diminished or no value, not the benefit of its bargain.” In other words, the DOJ will pursue these actions even in the absence of a data breach or other compromise of data.
• The whistleblowers who brought the case (before the DOJ intervened) are current and former employees of Georgia Tech. In that way, this case illustrates the importance of ensuring a culture of compliance with a robust and effective compliance program.
• This case is just the latest instance of the DOJ pursuing alleged cybersecurity non-compliance under the FCA. The DOJ has indicated that it is serious about enforcement in this area, and this intervention and detailed complaint demonstrates the agency’s commitment in that regard.