On October 22, 2024, the Department of Justice (“DOJ”) announced that Pennsylvania State University (“Penn State”) has agreed to pay $1,250,000 to settle a False Claims Act (“FCA”) case brought against the University approximately two years ago. The whistleblower in the case, former chief information officer of the Penn State Applied Research Laboratory, alleged that Penn State failed to comply with cybersecurity requirements in fifteen contracts and/or subcontracts with the Department of Defense (“DoD”) and National Aeronautics and Space Administration (“NASA”) between 2018 and 2023.
Specifically, the lawsuit (as discussed in our prior blog) contended that Penn State failed to provide “adequate security” for Covered Defense Information (“CDI”), as contractually required by the DFARS 252.204-7012 clause. Under this clause, “adequate security” is defined as (at least) implementing all 110 security controls outlined in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Moreover, federal regulations require DoD contractors to conduct a self-assessment of compliance with those 110 controls and report a compliance score (out of 110) in DoD’s Supplier Performance Risk System (“SPRS”). The lawsuit further alleged that Penn State falsified at least 20 documents related to its NIST SP 800-171 self-assessment and other self-attestations and put sensitive information at risk in a commercial cloud-storage service.
The DOJ originally declined to intervene in this lawsuit (as discussed in our prior blog). However, DOJ did opt to participate in the settlement negotiations. The settlement amount likely indicates a “cost of litigation” settlement with a desire to avoid further legal proceedings and expenses. There is no admission of wrongdoing on the part of Penn State. The whistleblower will receive a $250,000 share of the settlement amount.
Importantly for government contractors, FCA claims are on the rise. Principal Deputy Assistant Attorney General Brian M. Boynton (head of the DOJ’s Civil Division) announced that, in 2023 alone, DOJ opened 500 new FCA matters (a record high) and began investigating 712 qui tam lawsuits. Boynton also noted that cybersecurity FCA cases are a priority for 2024.
This DOJ settlement highlights the importance of robust contractor compliance systems and a culture that facilitates self-disclosure, internal investigations, and cooperation with the government. If cybersecurity compliance has not been at the top of your list, it is time (and likely past-time) to move it up. Sheppard Mullin’s Governmental Cybersecurity & Data Protection Team has resources and training materials available. If additional information would be helpful to you, or you have any questions, please contact us.