In August, the United States filed a Complaint-in-Intervention in a False Claims Act (FCA) whistleblower suit alleging that the Georgia Institute of Technology (“Georgia Tech”) and an affiliate, Georgia Tech Research Corp. (GTRC), violated cybersecurity requirements in connection with Department of Defense (DOD) contracts.

The complaint and accompanying press release reflect the Department of Justice’s (DOJ’s) heightened focus on using the FCA to address cybersecurity issues. The DOJ’s Civil Cyber-Fraud Initiative, designed to combat new and emerging cyber threats to sensitive information and critical systems, uses the federal FCA to pursue cyber-related fraud by government contractors and grant recipients.

The U.S. government joins a case originally filed in 2022 by two qui tam whistleblowers, both senior members of Georgia Tech’s cybersecurity compliance team. Both complaints allege that the defendants failed to comply with federal cybersecurity requirements and attempted to obscure this failure by submitting false claims to the government.

The Allegations

The United States is pursuing claims under the FCA and federal common law fraud, negligent misrepresentation, unjust enrichment, payment by mistake, and breach of contract—alleging that the defendants (1) knowingly, intentionally, and/or negligently violated federal cybersecurity requirements as part of a culture of noncompliance, and consequently (2) fraudulently and negligently induced the DOD to enter into and retain federal government contracts that the defendants were not eligible for.

The government claims the following:

Federal Cybersecurity Requirements

• The defendants allegedly failed to develop or implement a system security plan and/or updated plan with respect to a particular lab—outlining how they would protect defense information from unauthorized disclosure—in violation of DOD cybersecurity regulations, the Defense Federal Acquisition Regulation Supplement (DFARS), and/or National Institute of Standards and Technology (NIST) controls.
• The defendants allegedly failed to install, update, or run antivirus or incident detection software on desktops, laptops, servers, or its network at the lab (used to process, store, and transmit covered defense information and/or federal contract information)—in violation of federal cybersecurity regulations, DFARS, and/or NIST controls.
• The defendants allegedly failed to assess the system on which the lab processed, stored, or transmitted sensitive DOD data using the DOD’s prescribed assessment methodology.

False Compliance Score

• The defendants allegedly provided the DOD with a false summary level score (meant to reflect cybersecurity compliance regarding systems storing defense information), and this score was a condition of the contract awards.

False Claims Act Violations

The defendants’ alleged conduct gave rise to claims under the FCA and federal common law, including fraud and negligent misrepresentation, with the defendants allegedly knowing that violating federal cybersecurity requirements could lead to false claims.

This alleged conduct included, for purposes of the FCA:

Count 1: Presentment of False Claims

1. GTRC knowingly presented or caused to be presented false or fraudulent claims to the DOD for payment, which the agency paid in full (the payments were split between the defendants);
2. the claims were false or fraudulent due to the defendants’ failures to provide adequate security for their covered contractor information systems and to submit an accurate summary level score, as required; and
3. the claims were material to the United States, inducing the government to enter into contracts and make payments.

Count 2: False Record or Statement

1. GTRC knowingly made, used, or caused to be made or used false records or false statements that were material to claims for payment or approval to the United States;
2. the statements were false or fraudulent due to GTRC’s representations and certifications that it had complied with federal cybersecurity requirements under DFARS and NIST and that it had submitted an accurate summary level score for each system relevant to the applicable bid and contract; and
3. the representations and certifications were material to the United States, inducing the government to enter into contracts and make payments.

Takeaways

As this case demonstrates, entities contracting with the government need to be meticulous in reviewing the terms and conditions of those contracts. As the DOJ is using the FCA in matters relating to cybersecurity, those in charge of cybersecurity should promote a culture of compliance, ensuring that everyone involved is aware of, and properly carrying out, the specific requirements of those contracts. Setting up compliance programs sensitive to these contractual requirements can serve as a first line of defense in the event questions arise about how well a company, university, or other entity met its obligations in this regard.

While entities should be sure to identify what the contract requires, they should, just as intently, identify what it does not. This, too, can be key to the defense of any claim that the FCA has been violated for failure to comply with contractual obligations.