Stung by Cybersecurity Noncompliance: DOJ Unveils its False Claims Act Complaint Against Georgia Tech

As reported in our August 2024 client alert, earlier this year the U.S. Department of Justice (DOJ) intervened in a False Claims Act (FCA) matter initiated by two whistleblowers, alleging that Georgia Tech Research Corporation and the Georgia Institute of Technology (Georgia Tech) violated various cybersecurity requirements that are part of Department of Defense (DoD) contracts. The DOJ’s intervention was another data point showing prosecutors’ deep interest in pursuing cybersecurity-related fraud.

The Complaint

On August 22, 2024, the DOJ filed its 99-page complaint in the Georgia Tech case, reflecting the results of a thorough pre-suit investigation. In that pleading, the DOJ quotes extensively from internal emails, internal instant messages, other communications, and testimony to allege that the defendants violated federal cybersecurity rules and regulations applicable to the institutions as government contractors. Further, this documentation supports the DOJ’s allegations that the defendants knew or were reckless in not knowing that they did not comply with those rules and regulations.

For example, the DOJ alleges that one former employee testified that, for a substantial period of time, there was “no enforcement” of the applicable cybersecurity requirements. In another example, the DOJ cited extensive instant messages where employees recognized non-compliance with cybersecurity requirements. Elsewhere, the DOJ alleges that the defendants created a “culture of cybersecurity noncompliance,” rendering multiple years’ worth of claims false. The DOJ seeks damages of approximately US$30 million, based on the amounts billed to the government, and that figure is before application of the FCA’s treble damages provision and per-claim fees.

Takeaways

The DOJ’s complaint yields the following important takeaways:

The detailed allegations spanning nearly 100 pages reflect the results of what appears to have been a thorough investigation. This shows the diligence with which the DOJ is pursuing these matters as part of its Civil Cyber-Fraud Initiative, launched in 2021.

The government’s review of various data repositories—such as emails, instant messages, PowerPoint presentations, and other materials—shows the lengths that the government will go to investigate and pursue its allegations. Accordingly, companies should be mindful of having appropriate communication and document retention policies.

Although the DOJ does not allege that any of the sensitive information was in fact compromised, it maintains that the DoD “paid for military technology . . . stored in an environment that was not secure from unauthorized disclosure.” The DOJ further alleges, “What the DoD received for its funds was of diminished or no value, not the benefit of its bargain.” In other words, the DOJ will pursue these actions even in the absence of a data breach or other compromise of data.

The whistleblowers who brought the case (before the DOJ intervened) are current and former employees of Georgia Tech. In that way, this case illustrates the importance of ensuring a culture of compliance with a robust and effective compliance program.

This case is just the latest instance of the DOJ pursuing alleged cybersecurity non-compliance under the FCA. The DOJ has indicated that it is serious about enforcement in this area, and this intervention and detailed complaint demonstrates the agency’s commitment in that regard.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.