Penn State to Pay $1.25M in False Claims Act Settlement Over Cybersecurity Failures in Government Contracts

Pennsylvania State University (Penn State) has agreed to pay $1.25 million to settle allegations of violating the False Claims Act, stemming from its failure to meet contractual cybersecurity requirements between 2018 and 2023. The university allegedly failed to implement cybersecurity controls mandated by the Department of Defense (DoD) and NASA on 15 contracts or subcontracts. These failures included misrepresenting the implementation of specific cybersecurity controls and using a cloud service provider that did not meet DoD’s security standards for handling sensitive defense information.

The settlement resolves claims that Penn State misrepresented its compliance by submitting inaccurate assessment scores to the DoD, indicating cybersecurity measures that were not fully implemented. The university was also accused of failing to follow through on its plans to rectify deficiencies. This case highlights the increasing scrutiny universities face over cybersecurity in federally funded projects, especially in research involving sensitive government information.

"Universities that receive federal funding must take their cybersecurity obligations seriously," emphasized Principal Deputy Assistant Attorney General Brian M. Boynton. This case was brought under the Civil Cyber-Fraud Initiative, launched by the Department of Justice in 2021 to hold entities accountable for deficient cybersecurity practices.

The case against Penn State was initiated by whistleblower Matthew Decker, a former chief information officer at the university’s Applied Research Laboratory. Under the False Claims Act's qui tam provisions, Decker will receive $250,000 from the settlement.

Federal agencies, including the Naval Criminal Investigative Service, NASA’s Office of Inspector General, and the Defense Criminal Investigative Service, played key roles in the investigation. These agencies, alongside the Department of Justice, reiterated the critical nature of cybersecurity in protecting sensitive defense and space research from bad actors. Penn State has stated that it takes compliance seriously and continues to work cooperatively with the government.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.