Back to School: Are Universities the Next Target for Cyber-Related FCA Cases?
The Department of Justice (DOJ) recently intervened in what we at Qui Notes believe was its first cyber-related FCA case since announcing its Civil Cyber-Fraud Initiative (CCFI). As our regular readers know, in late 2021, the DOJ announced the initiative through which DOJ said it would focus on pursuing FCA cases against government contractors and grant recipients who allegedly failed to live up to their cybersecurity responsibilities in performing work for the government, among other things. Though the initiative has only produced a few CCFI-related settlements in the two-plus years since it was announced, unless we missed it, we had yet to see any intervened cases related to alleged cyber fraud.
That changed in February when DOJ intervened in United States ex rel. Craig v. Georgia Tech Research Corporation, No. 1:22-cv-02698 (N.D. Ga.). This qui tam action was filed by two relators in July 2022 in the Northern District of Georgia. The relators, the Associate Director of Cybersecurity at Georgia Tech and a former information security graduate student who also worked for the university’s Information Security Department, allege that the university failed to properly implement the provisions of Defense Federal Acquisition Regulation (DFARS) 252.204-7012. When included in a contract, that DFARS clause requires contractors that process and store controlled unclassified information (CUI) in connection with the contract to use information systems that comply with National Institute of Standards and Technology Special Publication (NIST SP) 800-171.
The relators allege that Georgia Tech has “hundreds of contracts” with the DOJ requiring NIST SP 800-171 compliance. They allege “several problems” with how Georgia Tech handled CUI, which they say stemmed from a lack of training and “enormous pressure to find a way to interpret [NIST SP 800-171] to allow whatever was already happening in each lab to be designated as ‘compliant.’” Despite this broad framing, their complaint is largely focused on a single sequence of events. Allegedly, while working on the computer system for a specific lab at the university that held a government contract, one of the relators discovered that it lacked certain malware- and incident-detection software that they say is required under NIST SP 800-171. The relators further claim that their efforts to rectify this issue were rebuffed by Georgia Tech administrators, who preferred to focus instead on avoiding any disruptions to ongoing research being performed using the relevant system.
The relators’ primary allegations relate to a single lab at Georgia Tech, but their complaint also contains assertions of a variety of individual issues they allegedly witnessed elsewhere in their work at the university. In addition to their substantive FCA claim, each relator also asserts a retaliation claim under the FCA retaliation provision, 31 U.S.C. § 3730(h). DOJ has until late June to file its complaint in intervention at which point we will see on which of the allegations DOJ intervenes.
The allegations in Craig bear some resemblance to those in another qui tam case brought against a university by the former Chief Information Officer for one of Penn State’s research labs who also alleges inadequate safeguarding of CUI and is represented by the same relator’s counsel. That case, United States ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895 (E.D. Pa.) was unsealed but is currently stayed to allow DOJ to complete its investigation and determine whether to intervene. While of course DOJ makes its intervention decisions on a case-by-case basis, given its intervention in Craig, we are interested to see what DOJ decides in Decker. The stay in that case will expire in early May.
Taken together, these cases demonstrate the potential reach of the CCFI. While the earliest settlements under the CCFI dealt with requirements such as healthcare data privacy that have long been well-known to contractors in the relevant industries, these newer cases deal with the more recently developed standards for handling CUI. And, given recent developments with respect to the long-awaited Cybersecurity Maturation Model Certification (CMMC) Program that likely will increase potential FCA risk for DOD contractors, more clarity on the government’s approach to these cases may come when DOJ makes its intervention decision in Decker and files its complaint in intervention in Craig.
We here at Qui Notes will continue to monitor Craig, Decker, and other cyber-related FCA cases and blog about them as developments arise. As always, if you have any questions about these cases or about any cyber compliance issues, please reach out to the authors, or Arnold & Porter’s False Claims Act Investigations & Defense and Government Contracts groups.
© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.