On August 22, 2024, the United States Department of Justice (“DOJ”) filed a complaint-in-intervention in a whistleblower lawsuit brought against Georgia Institute of Technology (“Georgia Tech”) and Georgia Tech Research Corporation (“GTRC”) asserting claims under the False Claims Act (“FCA”) and federal common law based on allegations that Georgia Tech and GTRC failed to meet cybersecurity requirements mandated by U.S. Department of Defense (“DoD”) contracts and DoD regulations.

In United States ex rel. Craig v. Georgia Tech Research Corp, et al., which is pending in the United States District Court for the Northern District of Georgia, the DOJ alleges that, from as early as May 2019, Georgia Tech and GTRC, an affiliate of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech, failed to enforce cybersecurity regulations in order to allegedly “accommodate ‘researchers [who were] pushing back’ on cybersecurity compliance because they found it burdensome.” The complaint-in-intervention further alleges that, until at least February 2020, “Georgia Tech failed to enforce basic cybersecurity at the Astrolavos Lab” despite the lab possessing “nonpublic and sensitive DoD information.” It is also alleged that, even after Astrolavos Lab implemented a system security plan, Georgia Tech and GTRC “failed to: (1) assess the system on which the Astrolavos Lab processed, stored or transmitted sensitive DoD data using DoD’s prescribed assessment methodology; and (2) provide to DoD an accurate summary level score for Astrolavos Lab to demonstrate the state of the lab’s compliance with applicable cybersecurity regulations.” The submission of a summary level score is a “condition of contract” for most DoD contracts.

The whistleblower suit was originally filed on July 8, 2022 by current and former members of Georgia Tech’s Cybersecurity team under the qui tam or whistleblower provisions of the FCA. Under the FCA, private parties may file suit on behalf of the United States for false claims and receive a share of any recovery. On February 19, 2024, the DOJ, pursuant to the FCA, filed a Notice of Election to Intervene. As set forth above, the DOJ subsequently filed its complaint-in-intervention on August 22, 2024. Georgia Tech and GTRC are currently scheduled to file by October 21, 2024 a motion to dismiss the complaint-in-intervention.

Takeaways

This marks the first lawsuit the DOJ has litigated under its Civil Cyber-Fraud Initiative. The stated goal of the Civil Cyber-Fraud Initiative, is to utilize the FCA to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” The Civil Cyber-Fraud Initiative has sought to take action against not only federal government contractors, but also state government contractors.

In light of the DOJ’s pending litigation against Georgia Tech and GTRC, government contractors at both the federal and state level should review their cybersecurity obligations under both government contracts and applicable federal and state law, assess whether their current cybersecurity practices align with all contractual and legal requirements and, if necessary, make adjustments to obtain and maintain compliance with cybersecurity obligations. 

Back to Commercial Litigation Update Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Commercial Litigation Update posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.