Podcast - Discussing a DOJ Lawsuit Under the Civil-Fraud Initiative
Eric Crusius: Hi, this is Eric Crusius. Welcome to the latest episode of Regulatory Phishing. Today we're going to talk about something interesting, a Department of Justice lawsuit that was brought under the Civil Cyber-Fraud Initiative. With me is Kelsey Hayes, an attorney in our Government Contracts Group. Hello, Kelsey.
Kelsey Hayes: Hi.
Eric Crusius: I have to get Kelsey a lot of credit. She was the one who spearheaded a blog post that we wrote about this, so if you do see the blog, just note that a lot of that is Kelsey's handiwork. So, Kelsey, appreciate that, first of all. This case is really interesting, I thought, because first, it's kind of the first time that Department of Justice really talked about, in such gruesome detail, what they expect contractors to do under the various different Department of Defense regulatory requirements. Our title of the blog mentions the Civil Cyber-Fraud Initiative, which came out more than two years ago now, and required contractors to abide by certain cybersecurity standards, and really the initiative is the DOJ kind of taking a closer look at contractors, making sure they comply with those standards across the Department of Defense specifically. And this is the latest kind of in a long line of things that the government has done to kind of bring to bear these cyber requirements onto contractors and make sure they're protecting information. So we thought today we'd kind of talk a little bit about this new case that was brought. First, this was initially brought as a whistleblower lawsuit. I wonder if you could just kind of explain to everybody what a whistleblower lawsuit is.
Kelsey Hayes: Yeah. So a whistleblower lawsuit is an action that's brought under a provision of the False Claims Act that allows private litigants — just regular, everyday people — to bring a lawsuit against a contractor or another entity in the name of the United States government, where they're basically acting in the government's interest, so to speak, to bring to light wrongdoings or non-compliances or whatnot. And so in this case, it was an action brought by a whistleblower, I think a former and possibly even a current employee of the research lab. So they had intimate knowledge of what their employer was doing and felt that it wasn't in compliance with the regulatory requirements and decided to utilize that provision of the FCA.
Eric Crusius: What I find a lot of times with these whistleblower complaints — and it seems like it may have happened here — where the whistleblower tried to make things right within the organization itself, and they weren't heard, so they took another action to either protect themselves or to kind of blow the whistle, so to speak. The interesting thing about this, so this was brought by the whistleblower some time ago, and the government has the option to intervene in these cases or not. If the Department of Justice decides to intervene and they take control of the case, and here they did that. And then they filed a new complaint with all this other information they have, and I was struck, in the complaint, just reading through it with how much detail was in there on the different controls that weren't complied with and just all the kind of background information. Emails, they had emails between the parties internally. So all that kind of stuff was just pretty crazy. I wonder if you could kind of walk through some of the allegations in the complaint.
Kelsey Hayes: Sure. So the principal allegation is that the research lab, a particular research lab within Georgia Tech, was not in compliance with a contract provision in their DOD contracts. And that's DFARS 252.204-7012, which I'm sure your listeners of the podcast are familiar with. It's the primary DOD cybersecurity regulation, and the regulation requires contractors to provide adequate security on information systems that process, store or transmit controlled unclassified information. And this was a clause that was included in the research lab's contract. They had contracts with the Air Force and Defense Advanced Research Projects Agency. So basically, the clause requires you to provide the security, and that security is defined in terms of the controls specified in NIST Special Publication 800-171, which I'm sure your listeners are also very familiar with.
Eric Crusius: And if they're not, they can call us. We could explain it to them.
Kelsey Hayes: Yes. So NIST itself specifies, I think, 110 security controls that contractors need to have to protect CUI that is on their information systems, and the particular NIST controls that were raised in the, I believe both the whistleblower's complaint and in DOJ's complaint, were that the research lab failed to document and periodically update a system security plan, which is a NIST security control, and that they also failed to install, update and run antivirus and incident detection software, which is part of a family of NIST controls under 3.14. So as to your point, the government was very specific and, you know, they broke down the controls that the contractor was required to have on its information system through this DFARS clause, which incorporates this new publication, and, you know, because of the whistleblower, they had information that the research lab was not, you know, did not implement these controls and therefore government controlled unclassified information could have, you know, was at risk technically.
Eric Crusius: It's interesting how kind of granular DOJ got with this, like, this controls and implemented this one. You know, we talked to a lot of clients — I know you and I both — where they kind of talk through the requirements of NIST 800-171. And I think one thing that was also really interesting here that I think a lot of companies miss is the lack of POA&Ms, plans of action and milestones. So it can be OK, and am I going to make a blanket statement that it always is, but it can be OK in certain circumstances to not have all the controls implemented, if you have plans of action and milestones and have a plan to get into compliance with some of these controls. And that was one of the complaints, I think, in this complaint, that they didn't have those plans of action for those unimplemented controls.
Kelsey Hayes: Yeah, and I think that that's an important point to make because it's not always clear from the face of the DFARS clause that you can have these POA&Ms, you know, even when I just read the DFARS clause, on its face, it says adequate security is NIST 800-171, but it's really only I think once you get into the NIST document itself that talks about the System Security Plan in detail, and the POA&Ms, and sort of says that's where you understand you don't have to immediately have them all in place, but you can have a plan to get there. At least that was the case when the rule first came out in what, 2016? When you had to have these controls in. So now in 2024, especially with CMMC on the horizon, I think it's starting to be a different story. But yeah, that was definitely a big, a big part of the, the allegation against the, against the research lab.
Eric Crusius: The one last thing I want to kind of touch on before we end this podcast is the, doesn't seem to be an allegation that there's any kind of security breach or anything, but that doesn't really matter to the government. They went on for a few pages, they talked about that the lack of compliance to these security controls is something that's material. Kind of hitting that element for the False Claims Act, they still have to prove that fact, this is just a complaint, of course. But your thoughts on that? That's pretty interesting.
Kelsey Hayes: Yeah, it's funny, so when I first, you know, learned about the case being unsealed and about DOJ's intervention, my immediate thought was, wait, if there was no breach, if none of this, you know, CUI and the contractor's information systems, you know, was hacked by an outside party or disclosed to someone that shouldn't have access to it, then what's the big deal? Like, what's the harm to the government? No one got their hands on this information that they, you know, that shouldn't have. And that's where materiality comes in. And, you know, I momentarily forgot about that when I was, when I was reading this. But materiality is something under the FCA. So in order for a false claim to be actionable under the FCA, the false claim has to be material to the government's payment decision under the contract. And DOD and DOJ have made very clear that cybersecurity is of utmost importance. The DOJ spent much of their brief complaint and intervention, as you mentioned, describing how material and how important DOD cybersecurity regulations are and really made the case that these terms are material to compliance and to the government's decision to pay. And in fact, there was an earlier case in 2019 where it was brought, similar action brought under DFARS 7012, and the relator was alleging, you know, noncompliance with 7012 and the contractor tried to move to dismiss, saying, hey, this isn't material, you can't show that this is material. And, and that case was notable because it was the first time that a court said, you know, yes, we were, at least in this instance, the relator has sufficiently alleged materiality for 7012. So we're going to let it proceed. So, you know, we have that case, and then we have that decision. And now we have this case where we see the DOJ spending pages and pages of its complaint, really bolstering that materiality argument. And like you said, it's just a complaint. It'll have to, you know, go through the wringer. But it is really interesting at this stage, and I think it sends a big message.
Eric Crusius: Yeah, I think that's a great point. And the big message is a great point because this is one of the first times we've seen kind of Department of Justice's view on these things, and my guess is that there are thousands of contractors that are in the same position as the universities here. So, you know, it puts a lot of folks at risk who are not paying attention to these requirements, and I think it's a good lesson without having to pay the price for a lot of those contractors to look at this complaint and say, OK, what di the DOJ say was wrong here, and are we doing those things? And if we are doing those things, we need to fix them right away.
Kelsey Hayes: Yeah. And to the point earlier when we were discussing, you know, what a whistleblower case is, what a qui tam action is, under that provision, a whistleblower is actually entitled to a share in the government's recovery if they win the case. So all this is say is that people in your organization, you know, might have an incentive to sort of go against your company if they think that the company is not in compliance because it could result in a big payout for them. It's a tool that the government uses to, you know, get its job done. And it's something that contractors should be aware of because, you know, as we see in the Georgia Tech case, where leaders are a very real thing and they'll, you know, take advantage of that provision and up and bring these complaints on behalf of the government.
Eric Crusius: Great way to end. Thank you, Kelsey, for being with us today.
Kelsey Hayes: Awesome. Thank you.
Eric Crusius: Sure. Thanks for listening. We're certainly going to have more podcasts on this topic because I think the False Claims Act is something that's going to be very real for this community, and it just seems like Department of Justice is really ramping up its efforts here. So we'll, we'll continue to focus on this topic and please stay tuned for the next one. Thank you.