It was a big week for Bracker & Marcus LLC’s cyberfraud cases, with a motion to dismiss filed in one case and a $1.25 million settlement in another.
Georgia Tech Case
On October 21, 2024, Georgia Tech filed a motion to dismiss United States ex rel. Craig v. Georgia Tech Research Corp., et al, the first complaint-in-intervention filed by the United States in a cybersecurity False Claims Act case. Bracker & Marcus LLC initiated the qui tam case on July 8, 2022, and the United States filed its complaint-in-intervention on August 22, 2024.
The case alleges that Georgia Tech violated cybersecurity requirements specified by National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, including failing to install, update or run antivirus or anti-malware; submitting false cybersecurity assessment scores; and failing to develop and implement a system security plan (SSP).
Penn State Case
We also have exciting news about the settlement of a cybersecurity fraud case we filed before the Georgia Tech case. On October 5, 2022, we filed United States ex rel. Decker v. Penn State University, and the seal was lifted on October 2, 2023. The Parties agreed to allow a magistrate judge to preside over the case while the government continued its investigation.
DOJ Announces Settlement
On October 22, 2024, the Department of Justice (DOJ) announced the settlement of a pioneer cybersecurity fraud False Claims Act case for $1.25 million. As one of the first cyber-fraud whistleblowers, Matthew Decker, former chief information officer for Penn State’s Applied Research Laboratory, courageously brought these claims to the government’s attention. He will receive $250,000 of the settlement.
Decker filed the case after reaching his limit of frustration from attempting to resolve the matters internally. He said, that “[a]fter decades of loyalty to national defense, and with my understanding of the consequences of having our adversaries obtaining sensitive defense research information, it is unacceptable to me for any organization to falsely attest or even fabricate data asserting security and compliance with such sensitive information, which is produced on tax-payers dollars.”
Federal Funding and Cybersecurity Requirements
The Defendant Pennsylvania State University “Penn State” receives federal funding to conduct research through contracts or subcontracts involving the Department of Defense (DoD) or National Aeronautics and Space Administration (NASA).
Like Georgia Tech, as a federal contractor, Penn State was required to provide adequate security on its information systems by implementing security requirements specified by NIST SP 800-171. Department of Defense contractors must also assess their NIST compliance and submit their cybersecurity assessment score to the Supplier Performance Risk System (“SPRS”).
Settlement Allegations
The settlement resolved allegations that between January 2018 and November 2023, Penn State failed to implement certain cybersecurity controls required by DoD and NASA. Without having a plan to actually implement missing security controls, Penn State misrepresented the dates that it would implement NIST SP 800-171 controls. Additionally, Penn State did not use an external cloud service provider that met the DoD’s security requirements.
DOJ’s Civil Cyber-Fraud Initiative
This settlement is a testament to the DOJ’s commitment to its Civil Cyber-Fraud Initiative, which aims to hold entities accountable for putting the nation’s information at risk with deficient cybersecurity products and services.
In the DOJ’s press release, Jacqueline C. Romero, United States Attorney for the Eastern District of Pennsylvania, emphasized the government’s dedication to using “every available tool to remedy” federal contractors’ failure to comply with cybersecurity requirements.
The Importance of Cybersecurity Compliance
Special Agent in Charge Greg Gross of the Naval Criminal Investigative Service Economic Crimes Field Office (“NCIS”) highlighted the importance of cybersecurity compliance, stating that as “our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated.”
Assistant Inspector General for Investigations Robert Steinau of NASA’s Office of Inspector General (NASA-OIG) echoed the importance by stating that “Safeguarding sensitive NASA and DoD data is crucial to ensuring that it does not fall into the hands of our adversaries or bad actors.”
This case should put other research institutions on notice that the government takes seriously their obligations to protect sensitive government information.
Let Bracker & Marcus LLC Represent Your Cybersecurity Case
Bracker & Marcus LLC has other cybersecurity fraud cases that are currently under seal. Because we feel passionate about protecting the government’s valuable information, we are eager to file more cybersecurity fraud cases.
For more information, see the lawsuit, and book an evaluation with a cybersecurity fraud attorney.