Penn State Settlement Shows Growing Cybersecurity Risks for Schools That Contract With Government Agencies on Sensitive Matters
Penn State recently agreed to pay $1.25 million to settle allegations of False Claims Act violations related to its cybersecurity controls after a whistleblower alleged that the university failed to adhere to cybersecurity requirements associated with a contract it had with the Department of Defense and lied to the government about its cybersecurity program.
The settlement is a reminder that universities that have government contracts requiring the university to employ certain cybersecurity measures must comply with those requirements or face federal investigations and potentially serious penalties associated with the False Claims Act.
The Penn State Case
Penn State contracted with the Department of Defense. The contract required Penn State to adopt certain cybersecurity controls and to report to the government that it had done so.
A whistleblower (the former chief information officer of the university’s applied research lab and interim CIO of the university itself) alleged, among other things, that Penn State failed to implement the required cybersecurity policies and procedures and then misled the government into believing it had implemented the required policies and procedures. The whistleblower claimed that he attempted to address these issues with university leadership but that his concerns were suppressed.
The Department of Justice pursued the whistleblower’s claims under its Civil-Cyber Fraud Initiative, which, according to the department, aims to hold government contractors accountable for “misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents.” The DOJ’s authority under the Civil-Cyber Fraud Initiative arises from the False Claims Act.
The Department of Justice recently announced that Penn State has agreed to pay $1.25 million to settle alleged False Claims Act violations arising from the whistleblower’s complaint.
Universities Should Take Note
As universities that frequently contract with the government may know, government contractors are contractually obligated to make representations about the cybersecurity controls they have in place to protect controlled unclassified information (CUI). In other words, many universities that contract with the government for research or certain other purposes will likely have obligations to adopt appropriate cybersecurity policies and procedures and confirm to the federal government that they have done so.
Failing to adopt the required protocols while representing that the university has done so may lead to significant liability under the False Claims Act. The False Claims Act allows treble damages plus a significant civil penalty, currently ranging as high as $23,331, for each false claim. Whistleblowers, called “relators” under the False Claims Act, may share up to 30% of the recovery, and if successful, reasonable attorneys' fees and costs. In the case of Penn State, the whistleblower was awarded $250,000. That gives disgruntled employees a large incentive to assert a claim.
Key Considerations
University counsel and cybersecurity teams should be prepared to address and mitigate the risks of False Claims Act claims related to their cybersecurity program with a systematic approach. Below are a few considerations.
- Contract requirements. Universities should thoroughly review the cybersecurity requirements of their contracts with the government to ensure that the university has complied with its obligations under those contracts.
- Cybersecurity program policies and procedures. Universities should have policies and procedures in place to examine new contracts to ensure that they are or will be able to comply with those.
- Representations to the government. Most importantly, universities must have policies and procedures in place to ensure that representations they make to the government, including but not limited to representations about their cybersecurity program, are accurate.
- Whistleblower Policies. Universities should also have a False Claims Act-compliant whistleblower policy and should consider including a procedure for routing and resolving employee complaints related to cybersecurity.
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.