DOJ Sues Georgia Tech for Alleged Cybersecurity Violations in Defense Contracts

The United States Department of Justice (DOJ) has joined a whistleblower lawsuit against the Georgia Institute of Technology (Georgia Tech) and its affiliate, Georgia Tech Research Corporation (GTRC), alleging significant cybersecurity violations in connection with Department of Defense (DoD) contracts.

Filed on August 22, 2024, the complaint-in-intervention accuses the institutions of knowingly failing to meet required cybersecurity standards, potentially compromising sensitive government information. The lawsuit stems from allegations made by current and former members of Georgia Tech's cybersecurity team.

Principal Deputy Assistant Attorney General Brian M. Boynton emphasized the importance of cybersecurity compliance, stating, "Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information."

The allegations in the lawsuit include:

1. Failure to develop and implement a required system security plan for the Astrolavos Lab until at least February 2020.
2. Inadequate scope of the security plan, excluding covered laptops, desktops, and servers.
3. Neglect in installing, updating, or running anti-virus or anti-malware tools until December 2021.
4. Submission of a allegedly false cybersecurity assessment score to the DoD in December 2020.

U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia stressed the critical nature of cybersecurity compliance, regardless of an organization's size or contract volume.

The case, initially filed under the False Claims Act's qui tam provisions by whistleblowers Christopher Craig and Kyle Koza, allows the government to intervene and take over litigation. If found liable, the defendants could face penalties of up to three times the government's losses, plus additional fines.

This lawsuit is part of the DOJ's Civil Cyber-Fraud Initiative, launched in October 2021 to hold entities accountable for cybersecurity deficiencies that put U.S. information or systems at risk.

As the case proceeds, it's important to note that the claims remain allegations, and no determination of liability has been made. The DOJ, supported by various investigative agencies, will continue to pursue the case under the caption United States ex rel. Craig v. Georgia Tech Research Corp, et al., No. 1:22-cv-02698 (N.D. Ga.).

This legal action underscores the growing emphasis on cybersecurity in government contracts and the potential consequences for non-compliance.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.