Penn State Settles $1.25M for Cybersecurity Violations

The Pennsylvania State University (Penn State), located in University Park, Pennsylvania, has agreed to pay $1,250,000 to resolve allegations that it violated the False Claims Act by failing to comply with cybersecurity requirements in fifteen contracts or subcontracts involving the Department of Defense (DoD) or National Aeronautics and Space Administration (NASA).

The settlement resolves allegations that, between 2018 and 2023, Penn State failed to implement cybersecurity controls that were contractually required by DoD and NASA and did not adequately develop and implement plans of action to correct deficiencies it identified. DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems used to store or access covered defense information. The United States alleged that Penn State submitted cybersecurity assessment scores to DoD that reflected it had not implemented certain controls, but misrepresented the dates by which it would implement them and did not pursue plans of action to do so. The United States also alleged that in performing certain of the contracts and subcontracts Penn State did not use an external cloud service provider that met DoD’s security requirements for covered defense information.

“Universities that receive federal funding must take their cybersecurity obligations seriously,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will continue our efforts under the department’s Civil Cyber-Fraud Initiative to hold contractors accountable when they fail to honor cybersecurity requirements designed to protect government information.”

“Federal contractors who store or access covered defense information must take required steps to protect that sensitive information from bad actors,” said U.S. Jacqueline C. Romero for the Eastern District of Pennsylvania. “When they fail to meet their cybersecurity obligations, we and our law enforcement partners will use every available tool to remedy the situation.”

“As our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated,” said Special Agent in Charge Greg Gross of the Naval Criminal Investigative Service Economic Crimes Field Office. “NCIS, along with our federal partners, are committed to investigating entities who fail to implement contractual requirements designed to protect Department of the Navy critical information.”

“Protecting the integrity of Department of Defense procurement activities is a top priority for the DoD Office of Inspector General’s Defense Criminal Investigative Service (DCIS),” said Special Agent in Charge Patrick J. Hegarty of the DCIS Northeast Field Office. “Failing to comply with DoD contract specifications and cybersecurity requirements puts DoD information and programs at risk. We will continue to work with our law enforcement partners and the Department of Justice to investigate allegations of false claims on DoD contracts.”

“Safeguarding sensitive NASA and DoD data is crucial to ensuring that it does not fall into the hands of our adversaries or bad actors,” said Assistant Inspector General for Investigations Robert Steinau of NASA’s Office of Inspector General (NASA-OIG). “The University’s inability to adequately address known deficiencies not only put sensitive information at risk but also undermined the integrity of our government’s cybersecurity efforts. We remain committed to holding entities accountable when they fail to meet critical security standards, as demonstrated by this case.”

On Oct. 6, 2021, Deputy Attorney General Lisa Monaco announced the department’s Civil Cyber-Fraud Initiative , which aims to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents. Information on how to report cyberfraud can be found here .

The settlement resolves a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery. The settlement in this case provides for the whistleblower, Matthew Decker, the former chief information officer for Penn State’s Applied Research Laboratory, to receive a $250,000 share of the settlement amount. The qui tam case is captioned U.S. ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895 (E.D. Pa.).

The resolution obtained in this matter was the result of a coordinated effort between the Civil Division’s Commercial Litigation Branch, Fraud Section, and the U.S. Attorney’s Office for the Eastern District of Pennsylvania, with assistance from NCIS, NASA-OIG, DCIS, Army Criminal Investigation Division, Naval Audit Service, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center and the Air Force Material Command.

Senior Trial Counsel Kimberly Friday and former Trial Attorney Melanie D. Hendry of the Justice Department’s Civil Division and Assistant U.S. Attorneys Peter Carr and Rebecca S. Melley for the Eastern District of Pennsylvania handled the case.

The claims resolved by the settlement are allegations only. There has been no determination of liability.

Settlement

Public Release. More on this here.