Justice Department Going After Cybersecurity Fraud
The False Claims Act (FCA) is a Civil War era law that both penalizes companies for lying about their cybersecurity protections and rewarding whistleblowers for turning in fraudsters.
In 2021 the Justice Department created a new initiative to stem civil-cyber fraud. One of the beneficiaries of that is the Defense Department which has been plagued for years by foreign adversaries stealing defense secrets due to poor cybersecurity both by the department itself but mainly by the hundreds of thousands of defense contractors that have sensitive government information.
Even before this new initiative Justice has been going after companies for misrepresenting the cybersecurity of their products. For example, in 2019 Cisco paid $8.6 million for security issues with some of their hardware.
One feature of the law is that whistleblowers can get up to a third of what the government collects in fines. In the Cisco case the whistleblower only got a million dollars. ONLY :).
Not all FCA lawsuits are related to cybersecurity and the government collects billions every year in FCA settlements. Last year Booz, Allen, Hamilton agreed to pay a $337 million settlement for fraudulent billing to the government, for example. In that case Booz charged costs directly to contracts that should have gone to overhead. In that case, the whistleblower and her lawyers got $69 million.
Enough for background. On to today.
The Justice Department is working on dozens of these FCA cases. One case that became public this week is against Georgia Tech Research Corporation and Georgia Institute of Technology. In that case, GTRC/GIT is a defense contractor and is required by contract to comply with a NIST standard called SP 800-171. This is mandated by a contract clause called DFARS 252.204-7012.
In this case, the whistleblowers are two employees who tried to get these organizations to comply with their contract requirements. They even tried to run this up the food chain inside the organization, but these organizations intentionally committed fraud, according to the lawsuit and even retaliated against the employees in order to suppress them.
The case started as a Qui Tam case meaning that these relators filed a case on behalf of the government. This week the government said it was going to take over the case and file their own civil complaint. That does not mean that these people won’t get their share of the pie, it just means that GTRC/GIT will have to face the might of the Justice Department rather than some private lawyer.
In this particular case, the employees did a good job of documenting the problems and trying to get management to fix the problems, but apparently, management did not do anything to fix the problems.
One thing they tried to explain was that to continue to bill the government while they were out of compliance with the contract terms was a no-no, but these organizations did not seem excited about stopping work and stopping billing. They also stopped the employees from telling their internal compliance team about being out of compliance. Among a laundry list of other issues.
Apparently GIT has hundreds of defense contracts. Now that this case has become public, I am sure that multiple agencies will be examining their billing practices and probably going after GTRC/GIT administratively for violating their contracts and hiding the fact that they were violating their contracts. Possibly these agencies may cancel existing contracts or not renewing them. I would not want to be either a lawyer or project manager at these organizations for the next few years.
Additionally, I assume that new contracts will dry up as well since why would any agency want to work with organizations that are accused of violating the terms of existing contracts and being charged by the Justice Department of violating the FCA. Even if, in the end, they get off completely and I can’t see how that is possible, agencies are likely to choose other vendors for new contracts.
Julie Bracker is the lead attorney on the private claim and she did a great job of documenting the issues. Leslie Weinstein, a friend of mine and a third year law student, brought the case to my attention. Thanks Leslie. Here is a link to Leslie’s post.
by 