The United States notified the U.S. District Court for the Northern District of Georgia that it plans to intervene in a False Claims Act case filed against Georgia Tech Research Corporation (Georgia Tech) by its Associate Director of Cybersecurity and former Principal Information Security Engineer (the relators). 

Georgia Tech is a party to “hundreds” of contracts with the U.S. Department of Defense (DOD), which grants Georgia Tech access to certain Controlled Unclassified Information (CUI) that must be protected by “adequate” security, which, at minimum, must satisfy the National Institute of Standards and Technology (NIST).   The relators allege that: (1) Georgia Tech’s internal assessors assigned to determine compliance with NIST were not qualified; (2) the assessors failed to compile sufficient evidence to prove compliance with the standards; (3) the assessors and administrators faced pressures and conflicts of interest; and (3) Georgia Tech bypassed certain malware requirements, in violation of NIST.  As a result, the relators claim Georgia Tech’s self-attestations of NIST compliance were false.

The relators further allege that they raised these issues of noncompliance internally over the course of several months without satisfaction but instead faced “increasing retaliation,” including poor performance reviews and forced resignation.

The relators originally filed the case under seal in July 2022.  After more than a year and a half of investigation, the United States notified the court of its decision to intervene.  The United States has until June 24, 2024, to serve its Complaint in Intervention.  The decision to intervene is yet another sign of increased attention and enforcement under the Department of Justice’s Civil Cyber-Fraud Initiative, which we have written about previously.

If you have any questions about the case or cybersecurity enforcement under the False Claims Act, please contact the author.