Skip to main content

DOJ’s First Intervention in Cybersecurity FCA Qui Tam Case Signals Continued Cyber Enforcement

Go-To Guide:
  • In July 2022, two relators brought a False Claims Act (FCA) suit against the Georgia Tech Research Corporation (GTRC) and the Georgia Institute of Technology (GA Tech), alleging the defendants failed to comply with NIST 800-171 mandatory cybersecurity controls in their Department of Defense (DoD) contracts.
  • After a lengthy investigation, in February 2024, the Department of Justice (DOJ) intervened in the case and the original complaint was unsealed.
  • DOJ has until June 24, 2024, to file its own complaint containing allegations against the defendants.

In July 2022, two relators sued the GTRC and GA Tech under the FCA. The allegations include violations of the FCA and employment law based on the relators’ claims of “increasing retaliation” experienced after they escalated their concerns.

The relators are a current and former employee of GA Tech’s Information Technology Department. Their complaint alleges that GTRC failed to properly implement cybersecurity controls mandated by GTRC’s “hundreds of contracts with the DoD.” Specifically, relators allege that in 2017, the 110 controls in NIST SP 800-171 became mandatory for all research being performed at GA Tech and its associated labs under DoD contracts. The relators further allege that while the defendants took initial steps to assess compliance with the required controls by creating a team focused on auditing implementation of the controls, the team was unable to accurately assess the IT environments of the labs.

The relators also allege that the team assembled to audit compliance with the required cybersecurity controls was unqualified, pressured to interpret controls inconsistently and in a manner that would find existing practices sufficient, took the word of system administrators assigned to each lab regarding whether a control and any fixes were implemented in the system (rather than simply documented), and did not ensure continuous monitoring of compliance during the entirety of contract performance. As a result, the relators allege that the defendants’ attestations of compliance with NIST 800-171 were false. The relators claim that they made detailed reports to the administration regarding the problems they noticed in the implementation of the cybersecurity controls, yet they allege that those reports were consistently ignored by administration officials and that they faced retaliation for raising their concerns. Notably, the relators allege that even after the attestations had been demonstrated to be false in the case of one particular lab, and prior to resolution of the compliance concerns, contract billing and performance continued.

In February 2024, the DOJ intervened in the case, marking the first time it has joined a cybersecurity lawsuit brought by qui tam relators. DOJ has until June 24, 2024, to file its complaint in intervention. The intervention demonstrates DOJ’s continued focus on cybersecurity fraud and enforcing contractor compliance with cybersecurity requirements under DOJ’s Civil Cyber-Fraud Initiative that was announced by Deputy Attorney General Lisa Monaco in October 2021.