The DOJ Goes After Penn State For Cybersecurity Violations
Yesterday (October 22), the Department of Justice (DOJ) announced that The Pennsylvania State University will pay $1.25 million to settle charges it violated the False Claims Act by failing to comply with the cybersecurity requirements under multiple Department of Defense (DoD) and NASA contracts. It is just the latest in a string of False Claims Act cases against universities and other federal contractors failing to protect highly sensitive information.
According to the government, this latest settlement centered on Penn State’s failure to implement contractually required cybersecurity controls or take any action to correct known deficiencies. The government alleged the university submitted cybersecurity assessment scores that misrepresented when it would implement certain required cybersecurity controls and that it took no steps to actually implement them. The government further alleged the university failed to use an external cloud provider that met DoD’s security requirements for covered defense information.
It was only two months ago that DOJ filed a False Claims Act case against Georgia Tech alleging some of the same types of cybersecurity violations with the university’s DoD contracts. This included submitting false cybersecurity assessment scores and failing to implement required cybersecurity controls. With these two actions, the government has made it clear that ensuring defense contractors comply with DoD’s cybersecurity requirements is a top enforcement priority.
The government stressed this priority in promoting the Penn State settlement, noting that “as our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated.” The government took an equally strong tone in trumpeting the Georgia Tech action, highlighting the “significant threat” to national security and the safety of our armed forces posed by “deficiencies in cybersecurity controls.”
But the government’s cybersecurity priority extends beyond defense information to protecting all kinds of sensitive information. In June, for example, DOJ reached an $11.3 million False Claims Act settlement with Guidehouse Inc. and Nan McKay and Associates for allegedly failing to protect personal identifying information under their contracts to help secure federal rental assistance during the COVID-19 pandemic. And in May, DOJ reached a $2.7 million False Claims Act settlement with Insight Global for allegedly failing to implement adequate cybersecurity measures to protect health information under its government contract for COVID-19 contact tracing.
All these actions were part of the Cyber-Fraud Initiative DOJ launched in October 2021 to go after federal contractors that put sensitive information at risk through deficient cybersecurity products or services, misrepresenting cybersecurity practices or protocols, or breaching obligations to monitor and report cybersecurity incidents and breaches. They also were all originated by whistleblowers under the qui tam provisions of the False Claims Act, which allow private persons to bring lawsuits on behalf of the government against those that defraud the government.
As an incentive for those with inside information to step forward, the statute provides successful whistleblowers with a significant share of the government’s recovery (up to 30%). In the Penn State action, the whistleblower who originated the action was the former Chief Information Officer for Penn State’s Applied Research Laboratory. He will receive an award of $250,000, representing 20% of the government’s recovery.
So if you have information relating to potential cybersecurity violations on any government funded or supported contracts or programs, the government wants to hear from you. If you would like to learn more about what it means to be a whistleblower under the False Claims Act or any of the other whistleblower rewards programs, please do not hesitate to contact us. We will connect you with an experienced member of the Constantine Cannon whistleblower team for a free and confidential consult.