DoJ Sues Georgia Tech for Cybersecurity Fraud
I didn’t have enough characters in the title to really explain it. Like many universities, Georgia Institute of Technology or Georgia Tech is a defense contractor. It does a variety of things like research and testing.
As part of those contracts, the school has access to sensitive information, which, according law and/or contract, they are supposed to protect.
But in their case, apparently, they just intentionally lied about protecting the data. At least, according to some whistleblowers.
For example, they were supposed to have a security score. A perfect score, if they implemented all the security controls, would be 110. But implementing all those controls would be hard, expensive and might require them to shut down some projects (AKA revenue) until they fixed it. So, they gave themselves a score of 98. Not perfect, but close to.
The internal security team was not happy and went to management. Management, basically, told them that the school didn’t really care.
Here is where the process gets a little hard to follow.
There is a law, dating back to the Civil War, that allows any American to file a suit alleging violation of the False Claims Act, on behalf of the government, also known as Qui Tam (lawyers love Latin). So that is what the security folks did.
BUT, the government has the right to take over the lawsuit and sue the villains themselves. Sometimes they do and sometimes they don’t. Generally they do when they think there is a good chance of winning.
For the security folks, the fact that the government is taking the case over is good news. They think the lawsuit has a good chance of prevailing. And they don’t have to pay for all the legal work.
Also, these security folks don’t have to fight a big university with high priced attorneys themselves.
AND, the law allows them to collect up to around 30 percent of whatever the government collects. For example Booz Allen paid a $377 million settlement under the Act for falsifying records over 10 years. The whistleblower in that case got $69.8 million – a pretty strong incentive to report your boss’s misdeeds.
In the Georgia Tech case, there appears to be a large amount of written documentation in favor of the government. They may choose to settle – in fact they likely will – because the sooner they get this out of the news, the sooner customers can begin forgetting about it. In the mean time, if I was a government contracting officer, I would be looking really hard before I gave them any new contracts.
Defense contractors should expect to see more of these and, they should expect the government to take over more of these. In fact, the DoJ has an entire division dedicated to this.
SO, if you are a defense contractor, now would be a good time to get your cybersecurity act together. If you need help with that, please contact us.
Credit: The Register