DOJ Joins Whistleblower’s False Claims Act Lawsuit Against Georgia Tech Over Cybersecurity Failures
Late last month, the U.S. Department of Justice (DOJ) filed a lawsuit against the Georgia Institute of Technology (Georgia Tech), accusing it of not meeting cybersecurity requirements for U.S. Department of Defense (DOD) contracts. This is part of DOJ’s Civil Cyber-Fraud Initiative to fight cyber threats, launched in 2021. Although DOJ has reached settlements with contractors over cybersecurity issues before, this is its first case involving a university.
Allegations of Non-Compliance with Cybersecurity Rules
The DOJ’s 99-page complaint alleges that Georgia Tech did not follow cybersecurity rules set out by the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. These rules are designed to protect sensitive defense information. It also claims that Georgia Tech provided the DOD with misleading cybersecurity scores, which did not accurately represent the cybersecurity status of its systems handling sensitive information.
Specific Failures Highlighted in the Complaint
The lawsuit is based on a whistleblower complaint from two Georgia Tech employees. Whistleblowers can receive a portion of any financial recovery for bringing attention to legal violations. The DOJ’s decision to intervene in this case shows it believes the allegations are serious.
The complaint highlights specific failures by Georgia Tech, such as not developing and maintaining adequate security plans, failing to install antivirus software properly, and not creating action plans to address cybersecurity gaps. Additionally, the DOJ claims that Georgia Tech falsely reported a cybersecurity score for its entire campus instead of the specific systems involved in DOD contracts, misleading the DOD about its cybersecurity status.
No Data Breach but Alleged False Claims
While no data breach occurred, the DOJ argues that Georgia Tech made false statements about its cybersecurity, violating the False Claims Act (FCA). This act holds entities liable for presenting false claims for payment to the government. According to the DOJ, by not complying with cybersecurity regulations while invoicing the government, Georgia Tech violated the FCA.
Significance of DOJ’s Intervention
The DOJ’s intervention is significant as it signals a serious stance on cybersecurity compliance for all government contractors, including universities. This case shows that the government is committed to enforcing cybersecurity rules and will take action against entities that fail to meet these requirements.
