Categories: Cybersecurity, False Claims Act

In August, the United States filed a Complaint-in-Intervention in a False Claims Act (FCA) whistleblower suit alleging that the Georgia Institute of Technology (“Georgia Tech”) and an affiliate, Georgia Tech Research Corp. (GTRC), violated cybersecurity requirements in connection with Department of Defense (DOD) contracts.

The complaint and accompanying press release reflect the Department of Justice’s (DOJ’s) heightened focus on using the FCA to address cybersecurity issues. The DOJ’s Civil Cyber-Fraud Initiative, designed to combat new and emerging cyber threats to sensitive information and critical systems, uses the federal FCA to pursue cyber-related fraud by government contractors and grant recipients.

The U.S. government joins a case originally filed in 2022 by two qui tam whistleblowers, both senior members of Georgia Tech’s cybersecurity compliance team. Both complaints allege that the defendants failed to comply with federal cybersecurity requirements and attempted to obscure this failure by submitting false claims to the government.

The Allegations

The United States is pursuing claims under the FCA and federal common law fraud, negligent misrepresentation, unjust enrichment, payment by mistake, and breach of contract—alleging that the defendants (1) knowingly, intentionally, and/or negligently violated federal cybersecurity requirements as part of a culture of noncompliance, and consequently (2) fraudulently and negligently induced the DOD to enter into and retain federal government contracts that the defendants were not eligible for.

The government claims the following:

Federal Cybersecurity Requirements

  • The defendants allegedly failed to develop or implement a system security plan and/or updated plan with respect to a particular lab—outlining how they would protect defense information from unauthorized disclosure—in violation of DOD cybersecurity regulations, the Defense Federal Acquisition Regulation Supplement (DFARS), and/or National Institute of Standards and Technology (NIST) controls.
  • The defendants allegedly failed to install, update, or run antivirus or incident detection software on desktops, laptops, servers, or its network at the lab (used to process, store, and transmit covered defense information and/or federal contract information)—in violation of federal cybersecurity regulations, DFARS, and/or NIST controls.
  • The defendants allegedly failed to assess the system on which the lab processed, stored, or transmitted sensitive DOD data using the DOD’s prescribed assessment methodology.

False Compliance Score

  • The defendants allegedly provided the DOD with a false summary level score (meant to reflect cybersecurity compliance regarding systems storing defense information), and this score was a condition of the contract awards.

False Claims Act Violations

The defendants’ alleged conduct gave rise to claims under the FCA and federal common law, including fraud and negligent misrepresentation, with the defendants allegedly knowing that violating federal cybersecurity requirements could lead to false claims.

This alleged conduct included, for purposes of the FCA:

Count 1: Presentment of False Claims

  1. GTRC knowingly presented or caused to be presented false or fraudulent claims to the DOD for payment, which the agency paid in full (the payments were split between the defendants);
  2. the claims were false or fraudulent due to the defendants’ failures to provide adequate security for their covered contractor information systems and to submit an accurate summary level score, as required; and
  3. the claims were material to the United States, inducing the government to enter into contracts and make payments.

Count 2: False Record or Statement

  1. GTRC knowingly made, used, or caused to be made or used false records or false statements that were material to claims for payment or approval to the United States;
  2. the statements were false or fraudulent due to GTRC’s representations and certifications that it had complied with federal cybersecurity requirements under DFARS and NIST and that it had submitted an accurate summary level score for each system relevant to the applicable bid and contract; and
  3. the representations and certifications were material to the United States, inducing the government to enter into contracts and make payments.

Takeaways

As this case demonstrates, entities contracting with the government need to be meticulous in reviewing the terms and conditions of those contracts. As the DOJ is using the FCA in matters relating to cybersecurity, those in charge of cybersecurity should promote a culture of compliance, ensuring that everyone involved is aware of, and properly carrying out, the specific requirements of those contracts. Setting up compliance programs sensitive to these contractual requirements can serve as a first line of defense in the event questions arise about how well a company, university, or other entity met its obligations in this regard.

While entities should be sure to identify what the contract requires, they should, just as intently, identify what it does not. This, too, can be key to the defense of any claim that the FCA has been violated for failure to comply with contractual obligations.

For more on the DOJ’s Civil Cyber-Fraud Initiative, please see a past Epstein Becker Green podcast and related publication on the subject.

Epstein Becker Green Staff Attorney Ann W. Parks assisted with the preparation of this post.

Tags: Civil Cyber-Fraud Initiative, Department of Defense (DOD), The Department of Justice (“DOJ”)
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.