5 September 2024. The United States Department of Justice intervened in a case against the Georgia Institute of Technology (Georgia Tech) and its affiliate, the Georgia Tech Research Corporation (GTRC). The lawsuit alleges that these entities knowingly failed to meet cybersecurity requirements under Department of Defense (DoD) contracts.
Overview of the Whistleblower Lawsuit
The whistleblower lawsuit, filed by Christopher Craig and Kyle Koza (former senior members of Georgia Tech’s cybersecurity compliance team), accuses Georgia Tech and GTRC of multiple violations of federal cybersecurity regulations. As qui tam whistleblowers, they may be entitled to 15-25% of the government’s recovery from these institutions.
Key Allegations
According to the complaint, Georgia Tech and GTRC had a culture and practice of “systematic noncompliance” with regard to the cybersecurity requirements of their DoD contracts. Until February 2020, the Astrolavos Lab at Georgia Tech did not have a system security plan, a requirement under DoD cybersecurity regulations. Furthermore, when they did implement a plan, it did not include all key hardware devices. Additionally, contrary to both contracting cybersecurity requirements and Georgia Tech’s policies, the lab did not install or maintain anti-virus or anti-malware software on its devices. Instead, the institution caved to the head of the lab’s demands regarding anti-virus or anti-malware software. Finally, the lab falsely claimed compliance with the DoD’s cybersecurity assessment, allegedly submitting a score for a fictitious environment that did not exist.
The Civil Cyber-Fraud Initiative
This case is one of the latest actions under the DOJ’s Civil Cyber-Fraud Initiative, announced by Deputy Attorney General Lisa Monaco on October 6, 2021. The initiative aims to hold entities or individuals contracting with the government accountable for:
- Providing inadequate cybersecurity products or services.
- Misrepresenting compliance with cybersecurity rules.
- Failing to report cybersecurity incidents and breaches.
Why Cybersecurity Compliance Matters for Government Contractors and Cybersecurity Professionals
The DOJ’s intervention in this case sends a clear message to government contractors and cybersecurity professionals about the importance of compliance with federal cybersecurity requirements. Insiders who have knowledge of individuals or institutions skirting compliance with federal cybersecurity regulations can step forward and report these issues under the qui tam provision of the False Claims Act.
If you would like to report cyber fraud or government contracts fraud, you can contact attorneys at Tycko & Zavareei LLP. Eva Gunasekera and Renée Brooker are former officials of the United States Department of Justice and prosecuted whistleblower cases under the False Claims Act. Renée served as Assistant Director at the United States Department of Justice, the office that supervises False Claims Act cases in all 94 United States District Courts. Eva was the Senior Counsel for Health Care Fraud. Eva and Renée now represent whistleblowers. For a free consultation, you can contact Renée at [email protected] (tel.: 202-417-3664) or contact Eva Gunasekera at [email protected]. You can also go to Tycko & Zavareei LLP’s website for whistleblowers to learn more at www.fraudfighters.net.