A recent case involving Georgia Tech Research Corporation and its affiliates highlights a critical trend: the U.S. government is increasingly using the False Claims Act (FCA) to hold defense contractors accountable for cybersecurity noncompliance. In this case, it was alleged that Georgia Tech failed to properly protect Controlled Unclassified Information (CUI), demonstrating the heightened scrutiny on cybersecurity in the Defense Industrial Base (DIB). This serves as a stark warning to all contractors working with the Department of Defense (DOD).
How Does the False Claims Act Work?
Originally passed during the Civil War to combat rampant fraud against the Union Army, the FCA—often referred to as “Lincoln’s Law”—was designed to incentivize whistleblowers (known as “relators”) to report fraud against the government. In return, whistleblowers can receive up to 30% of any damages recovered, while companies found guilty of defrauding the government are required to pay treble damages (three times the amount of damages determined). The Act also ensures that whistleblowers are protected from retaliation, offering significant legal protections and compensation for any mistreatment they might face.
The FCA has traditionally been used to address fraud in areas like healthcare and defense contracting, but more recently, it’s becoming a tool for enforcing cybersecurity compliance. As contractors face increasing pressure to meet mandates like CMMC, NIST 800-171, and DFARS 7012, the FCA adds another layer of accountability to ensure organizations are taking cybersecurity seriously.
Why It Matters for the DIB
The case involving Georgia Tech is a clear example of how the FCA is being applied in cybersecurity-related claims. Failure to protect sensitive information, like CUI, or misrepresenting cybersecurity practices can now lead to severe financial penalties and reputational damage. For contractors in the DIB, noncompliance can result in exclusion from future DOD contracts and hefty financial settlements—making it more important than ever to meet the necessary cybersecurity standards.
Whistleblower Protections Under the FCA
One of the key aspects of the FCA is its strong protection for whistleblowers. Employees who report noncompliance or fraud are entitled to significant protections against retaliation, including double damages, reinstatement to their previous position, and compensation for attorneys’ fees and court costs. In addition, whistleblowers can receive back pay, front pay, and compensation for emotional distress, making the Act a powerful deterrent against retaliatory actions by employers.
As Julie Bracker, a partner at Bracker & Marcus LLC who specializes in FCA cases and spoke at CMMC CON 2024, notes: “If a contractor is not complying with cybersecurity requirements and a whistleblower reports the issue, the FCA allows them to receive compensation while also protecting them from retaliation.” She emphasizes that anyone witnessing fraudulent behavior or cybersecurity noncompliance should seek legal advice early, as these cases can take time to develop.
The Cost of Noncompliance vs. Proactive Compliance
One of the key lessons from the False Claims Act is that compliance with cybersecurity regulations is far more manageable when approached proactively rather than reactively. The financial and legal costs of noncompliance, especially when facing potential FCA claims, can be overwhelming. If your organization is behind on implementing cybersecurity controls, it’s critical to take action now to avoid future risks.
Cybersecurity mandates like CMMC, NIST 800-171, and DFARS 7012 are designed to protect sensitive government information and ensure the resilience of the defense supply chain. Being caught unprepared not only exposes your company to legal liabilities but also jeopardizes future DOD contracts and your overall business standing.
Get Expert Guidance on Compliance
If your company is unsure of its compliance standing or needs help navigating these complex cybersecurity regulations, the team at CyberSheath can provide the guidance you need. With years of experience helping contractors meet DOD standards, CyberSheath can help you avoid the pitfalls of noncompliance and ensure that your organization is fully aligned with federal cybersecurity mandates.
Don’t wait until it’s too late. Reach out to CyberSheath today to start your compliance journey, safeguard your DOD contracts, and mitigate the risks of FCA-related actions.