"These are interesting cases in that they are spotlighting as we see the Civil Cyber Fraud Initiative cases coming up from under seal," said Julie Bracker.
For several years now, the Justice Department has operated something called the Civil Cyber Fraud Initiative. It uses the long-standing False Claims Act to go after contractors and research grantees who don’t have the cybersecurity controls in place they say they do. A recent case against two universities shows how it all works. My next guest represents Penn State and Georgia Tech whistleblowers. Attorney Julie Bracker of the law firm Bracker and Marcus joined the Federal Drive with Tom Temin
Interview transcript:
Tom Temin And these cases, you don’t see too many fraud actions, false claims act against universities. But what is going on in these two cases?
Julie Bracker Well, Tom, these are interesting cases in that they are spotlighting as we see the Civil Cyber Fraud Initiative cases coming up from under seal. We’re starting to see essentially with the Civil Cyber Fraud Initiative, the United States sent the message, we do care. We fund material, the cyber security terms that are embedded in the contracts with the Department of Defense, NASA and many other agencies. So with that message in 2021, which followed an attestation that grantees and contractors were required to sign beginning in 2018, we see enforcement of that happening. So I think one of the things this shows is what the government has been saying for several years now, which is we really do care that you keep our data secure.
Tom Temin Got it. And so how do these cases come to the attention of the Justice Department? I’m presuming it’s whistleblowers.
Julie Bracker That’s right. That’s who I represent, in fact, are whistleblowers who are bringing notice of these violations of the contractual terms to the federal government. So they can be originated by the Department of Justice itself. But obviously, insiders are able to tell the government what no outsider, which is able to tell, which is that the company or in this case the universities knew better. They knew what they were doing, and they made a choice not to do it. This wasn’t a mistake. This was a deliberate act.
Tom Temin Right. That means the whistleblowers are likely in the IT departments of these universities, or could they be part of the research that was granted?
Julie Bracker They could certainly be part of any part of the institution. In this case, though, both the two relators in the Georgia Tech matter and the gentleman who was blowing the whistle on Penn State. All three of those relators were in fact part of the IT department, and more specifically, part of this cyber security group.
Tom Temin Right. So somehow the relator is the whistleblowers know what contracts that these organizations have, which is not something you would think the IT department would normally know. Sounds like there’s more plumbing going on behind the scenes than might be visible.
Julie Bracker Well, in the False Claims Act, because entities that are being sued under the False Claims Act are entities and not individuals, it’s very common that your relator will know a lot about one area, and not a lot about the other. So in the medical context, for example, they might know all about the billing, but not much about the treatment. Or you might know that, hey, I’m being called to give this test to every patient whether or not they really need it or not, but that relator might not know about how it was billed. So we’re accustomed under the False Claims Act cases to putting together various pieces. So in this case, what we knew, and it’s just a simple contractual term in any contract, we don’t have to have a contract to know that if you’re contracting with the Department of Defense, then you have to comply with the new standards. So they knew they weren’t complying with the new standards. And we don’t really have to have a copy of the contract to know that they’re therefore in violation of the contract.
Tom Temin And did the whistleblower just go straight to the Justice Department? Or did they say to Penn State and Georgia Tech authorities, you’re missing this, you need to put these in these controls.
Julie Bracker Absolutely. In most cases under the FCA, the relator comes to me long after they’ve been working internally to stop the problems. And in both of these instances, they follow that pattern. There were many years, months of time where the relator for battling internally trying to get this fixed, and they just finally reached a point where they were convinced that it wouldn’t happen. They’ve been told definitively no or certainly not now. And because they’re concerned about federal data being leaked, because they’re concerned about threat actors, they found a FCA attorney, that would be me. And we presented it to the Department of Justice.
Tom Temin We are speaking with attorney Julie Bracker, a partner at Bracker and Marcus. And did the organizations, the colleges try to retaliate, or was this a pretty clean cut case?
Julie Bracker Well, we’re talking about two cases and three relators. So it’s hard to give a quick answer to that. In the Penn State case, Matt Decker was able to move out of the institution. He’s now with JPL, in fact, and doing well. In the Georgia Tech case, I think we’ve got public allegations with respect to the retaliation that both of the relators dealt with. Christopher Craig is still there. So that’s an ongoing part of the case that we really can’t talk a lot about right now. But there are definitely allegations of retaliation in both of those people.
Tom Temin Right. Ok. So that’s kind of a separate case, the retaliation activity than the original False Claims Act. What was the outcome of the False Claims Act, fines? Or is that still in litigation?
Julie Bracker It’s still in litigation. In Penn State, we have been granted a stay in a magistrate court, while the United States has been completing its investigation. And in the Georgia Tech matter the United States intervened in February, which means they took over the case, and then they were given 120 days and then another extension to file their complaint and intervention, which takes over the allegations from the relator. So that was filed very recently in August. And now there’s a briefing schedule for a motion to dismiss that has us winding up the briefing schedule, I believe, in February 2025.
Tom Temin Yes. So these things take a long time. Are these qui tam cases?
Julie Bracker Yes, they are. They’re called qui tam, because the relators bring the case on behalf of the government.
Tom Temin Right. And so they will be awarded damages, be awarded a piece of the settlement should it come to that.
Julie Bracker Yes. If there’s a settlement or a victory at trial, either way, there’ll be a relator share paid to the relators.
Tom Temin And by the way, if the organizations in this case, again, Penn State and Georgia Tech go ahead in the meantime, and put all those controls in place they’re required to for Defense Department data handling and so on, that doesn’t get them off the hook, because those things weren’t in place at the time of the contract.
Julie Bracker That’s right. We hope they do have everything in place as soon as possible, because our primary objective here is to secure the federal data. But no, the allegations are concerning what’s gone on since the attestations began in 2018 through present.
Tom Temin And how often do you find this happens in the non-corporate setting? In this case, really the nonprofit and the academic setting.
Julie Bracker Do you mean how often does it happen that we have a case? Or how often does it happen that they’re not securing the data? My understanding from the buzz in the industry, and from talking with my relators, who are of course part of that academic institutional research, is that research institutions have not been taking their obligations as seriously as they ought. And so I believe it’s common. This is the two cases that we are talking about today are the two that I’m aware of. There may be more under seal that I’m not aware of. One unique feature of the Georgia Tech case is that where Georgia Institute of Technology is the not for profit university, but one of the primary defendants in the case is Georgia Tech Research Corporation, GTRC, which is, of course, a contracting entity that is not part of the university system. That makes a difference in terms of proceeding against an entity that’s not an arm of the state.
Tom Temin Interesting. So the liable party is not the main Georgia Tech itself, but this entity that has its name.
Julie Bracker Well, both are defendants in the federal lawsuit. And we’ll see how that shakes out. But an arm of the state or a state entity has an argument that they’re immune to suit by the federal government under the False Claims Act. But Georgia Tech Research Corporation is not that type of entity, and because its corporate structure is not as part of the arm of the state that subjects it to, that means it does not have that argument.
Tom Temin And what about Penn State?
Julie Bracker Penn State can make the argument. We don’t know if it will or not. We don’t know how that will shake out. That would be a question of fact, whether or not the institution is in fact an arm of the state controlled by the state.
Tom Temin And I would think the institutions would be motivated by the desire to continue to get work from the government because they live off a lot of these grants. I mean, they have whole departments and staffs and laboratories that live off grants. And so if they are a good player, they’ll continue to get support for those activities.
Julie Bracker Well, I think that’s exactly right. And what the federal Civil Cyber Fraud Initiative is doing is trying to shift that incentive a little bit, because as we heard from the testimony, that’s part of the government’s complaint in the Georgia Tech case, the institution is motivated by a desire to keep the principal investigators happy by letting them arrange their IT structure however they see fit for their convenience, which is problematic when that means we don’t want to be bothered with a lot of cyber security. So by saying if you’re not subject to the cybersecurity, we’re not going to give you the data in the first place. You won’t have a contract that shifts the incentives a bit for the institutions.
Tom Temin And we said earlier at the outset, I want to just kind of close on this idea, that the researchers that are applying for the money would be the ones, when they receive the money, when they get the agreement, would be signing this. How would they determine what the IT department told them is not the case? In other words, it seems like there should be an internal verification going on.
Julie Bracker Well, it’s a good question. In this case, the defendants do not include the principal investigators who are there. They’re the principal investigator on the grant, but they’re not the contracting party. It’s the institution that applies for the grant money. And so it’s the institution is liable for making sure it complies with the terms.
Tom Temin So best advice is for institutional leadership to understand those clauses, and then go down to the director of IT and say yes.
Julie Bracker Correct. That’s exactly right.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED