The U.S. government’s August 2024 decision to join a lawsuit against the Georgia Institute of Technology shows that a damaging data breach or ransomware attack doesn’t need to happen for an organization to face punishment for alleged non-compliance with infosec and privacy regulations.
A new civil complaint filed by the U.S. in an Atlanta-based federal District Court asserts that since at least May 2019, the Georgia Tech Research Corporation (GTRC) and the Board of Regents of the University System of Georgia has not properly met the cybersecurity requirements of its Department of Defense contracts, which are worth hundreds of millions of dollars.
The U.S. will seek relief under the terms of the False Claims Act, a federal law that makes it illegal to submit fraudulent claims to the government.
The complaint cites the claims of two former Georgia Tech cybersecurity team members who previously filed suit against the university. The whistleblowers claim that cyber regulations were left unenforced for years because rather than prioritizing compliance, leadership instead caved in to the demands of researchers who actively opposed compliance initiatives, as such efforts impeded their work.
The alleged compliance violations include a lack of a properly scoped security plan to prevent the unauthorized disclosure of sensitive defense information, as well as a failure to run antivirus software on machines that have access to nonpublic DOD information. Additionally, the U.S. claims that Georgia Tech provided a misleading compliance assessment score for its Astrolavos cybersecurity lab – using a dubious score that supposedly applied to an entire campus-wide IT system rather than the specific lab that provided contracted services to the DoD and handled the agency’s sensitive data.
The U.S. says these alleged offenses violated the federal contracts, as they did not adhere to the guidelines set forth by the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS), which together set rules for providing the U.S. federal government with various goods and services. These guidelines include implementation of controls such as NIST SP 800-171, which spells out standards for protecting information on federal contractors' IT systems and networks.
In a press statement printed by multiple media outlets, Georgia Tech said that the U.S.’s complaint was “entirely off base.”
“This case has nothing to do with confidential information or protected government secrets,” the university stated. “The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings. In fact, in this case, there was no breach of information, and no data leaked.”
Organizations that directly provide contracted cybersecurity services, or other digital services that leverage sensitive client data, should take heed of this lawsuit – especially if the federal government is a customer.
Service providers must strike a balance between innovation and compliance, ensuring that their code developers and researchers don’t have unfettered free reign to act without safeguards in place. And a culture of security should be espoused from top business leadership so that it becomes part of the internal process, lest an indifference to cybersecurity become contagious throughout the organization. And finally, service providers should have strong familiarity with all relevant compliance guidelines that are required via business contract and/or government regulation.