On October 22, 2024, the U.S. Department of Justice (“DOJ”) announced that The Pennsylvania State University (“Penn State”), a public university in University Park, Pennsylvania, agreed to pay $1.25 million to resolve allegations that it violated the False Claims Act (the “FCA”). Specifically, Penn State allegedly failed to meet cybersecurity requirements in federal government contracts, misrepresented compliance timelines and plans, and failed to use a qualified external cloud service provider.

This is the latest settlement of cybersecurity-related FCA claims since DOJ announced its Civil Cyber-Fraud Initiative in October 2021. The case stems from a complaint filed in the Eastern District of Pennsylvania by Penn State’s Chief Information Officer (“CIO”). The complaint was brought under the FCA’s qui tam provisions, whereby a private citizen can bring a lawsuit on behalf of the government. The underlying failures alleged in the settlement occurred between 2018 and 2023.

The action against Penn State highlights the importance of tracking compliance with the myriad cybersecurity regulations. As governance over cybersecurity comes sharper into focus, the compliance department’s potential role likewise continues to evolve. The settlement also underscores the need to provide a channel for personnel to escalate perceived compliance failures.

The Penn State Settlement

The Penn State settlement resolved claims first filed in 2023 by whistleblower Matthew Decker, the former CIO for Penn State’s Applied Research Laboratory and Vice Provost, Information Technology for Penn State itself. Decker was responsible for ensuring Penn State’s Applied Research Laboratory and Penn State adhered to the U.S. Department of Defense cybersecurity regulations following a significant cyber breach at Penn State.

Decker alleged that, throughout his tenure at Penn State from 2015 to 2022, the university neglected to meet federal regulatory requirements to safeguard confidential information and violated federal agency contractual regulations. Decker further alleged that Penn State had provided false self-attestations of compliance to federal agencies from at least 2017 to 2022. Finally, he claimed that Penn State neglected to provide accurate dates and timelines for achieving compliance, as required by federal regulation.

Decker filed the action after allegedly repeated attempts to raise internally the issue of compliance proved unsuccessful between 2018 and 2022. For example, Decker alleged that in 2018 he highlighted the compliance gaps to management and was told that Penn State was sufficiently compliant. He also alleged that he offered to create working groups to address compliance gaps, but Penn State had no interest in such working groups in early 2021. Ultimately, Decker alleged that he was allowed to put together a review team in April 2022, and the team’s review ultimately demonstrated that many records were falsified.

The DOJ formally intervened in the case on October 23, 2024 and notified the court that it settled with Penn State. Penn State and DOJ reached a $1.25 million settlement to resolve all claims, and Decker received $250,000 from the settlement amount.

DOJ’s Civil Cyber-Fraud Initiative

The Penn State settlement comes as the Biden administration increasingly has emphasized the need to combat emerging cyber threats. In announcing the settlement, Special Agent in Charge Greg Gross, Naval Criminal Investigative Service Economic Crimes Field Office, stated: “As our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated.” Additionally, U.S. Attorney Jacqueline C. Romero stated: “Federal contractors who store or access covered defense information must take required steps to protect that sensitive information from bad actors. When they fail to meet their cybersecurity obligations, we and our law enforcement partners will use every available tool to remedy the situation.”

As Debevoise previously discussed (and here), the Civil Cyber-Fraud Initiative enforces regulations covering cybersecurity requirements against a much broader group than just those contracting with the DoD or NASA. Previous settlements have included hospitals, software companies, and other defense contractors.

Although the Civil Cyber-Fraud Initiative is aimed at federal contractors, internal whistleblowers may identify other potential liability from false information security attestations. While not all would give rise to claims under the False Claims Act, attestations of compliance could give rise to other forms of civil, or even criminal, penalties.

More broadly, as Debevoise recently noted, DOJ implemented a pilot program in August offering financial awards to whistleblowers who provide information regarding certain corporate crimes. In parallel, DOJ continues seeking to incentivize companies to develop their internal compliance programs.

Key Takeaways

To mitigate the risk of liability under the FCA and better prepare for and respond to cybersecurity-related whistleblower complaints in general, companies should consider the following:

  1. Compliance Department Seat at the Cyber Table: As cybersecurity governance has matured, many companies have increased the size of cyber legal teams and even information security risk teams. Companies also should consider adding subject matter experts to their compliance teams. Compliance personnel have deep experience in monitoring regulations and tracking actual compliance and attestations with such regulations. These teams should consider creating and updating compliance schedules documenting which units are attesting to the firm’s compliance with each element.
  2. Internal Responsiveness to Cybersecurity Complaints: All cybersecurity (and other) whistleblower reports merit objective assessment, even when vague or inflammatory, and careful consideration of appropriate next steps. It is important to share such complaints internally with subject matter experts to help determine, at least initially, the appropriate scope of any internal investigation and who is best situated to investigate, including potentially external counsel. Such investigations should proceed expeditiously. In addition, it is important to communicate with whistleblowers in a manner that demonstrates seriousness of purpose and to take steps internally that protect whistleblowers from any retaliation.
  3. Technical Expertise of the Investigation Team: Given the technical nature of many cyber and AI whistleblower claims, it is important that the investigation team has the necessary expertise to evaluate the allegations or has access to consultants who can assist in that evaluation. When consulting in-house experts, be careful not to involve anyone who is implicated by the allegations.
  4. Avoiding Retaliation: Even the appearance of retaliation can create problems for the company. If the whistleblower is anonymous, it is advisable not to seek to determine their identity. If the identity of the whistleblower is known to investigators, it is best not to share this identity with others, unless strictly necessary for the investigation or otherwise, in order to limit the risk of retaliation.
  5. Consider Periodic Internal Audits or Similar Reviews of the Whistleblower Process: As with other important processes, companies should consider how best to monitor that their whistleblower processes are working as designed. This includes, among other things, verifying that complaints are properly received, recorded, escalated, investigated, and resolved, including any appropriate remediation. An internal audit function can play a vital role in such validation, helping (for example) to identify repeat allegations that received insufficient internal attention and therefore present continuing concerns.

To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by Microsoft Copilot.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Andrew Levine is a litigation partner who focuses his practice on white collar and regulatory defense, internal investigations and a broad range of complex commercial litigation. He regularly defends companies in criminal, civil and regulatory enforcement matters and has conducted numerous investigations throughout the world. Mr. Levine frequently advises companies on compliance matters, including with respect to the U.S. Foreign Corrupt Practices Act, and the assessment and management of risks presented by potential mergers, acquisitions and other transactions. In 2014, Mr. Levine was named to Global Investigations Review’s inaugural “40 Under 40” list of the world’s leading investigations lawyers, and he was recognized in 2013 as a Rising Star by the New York Law Journal. Mr. Levine is recommended for international litigation in The Legal 500 US (2022), where clients have described him as “smart, responsive, collaborative and sharp in his advice.” He is ranked as a leading lawyer for FCPA by Chambers USA (2022), where clients say “he is focused on pragmatic solutions.” Sources have also said that “his breadth of knowledge is unparalleled,” he is “exceptionally able and capable,” and “very pragmatic and hands-on. He’s able to conceptualize and simplify quite quickly complex considerations and situations.” In Chambers Global (2023) and Chambers Latin America (2023), where Mr. Levine is recommended as a top-tier lawyer, clients note that “he stands out for his client service and attention to detail,” describing him as “a lawyer that turns complexity into simplicity.” They also note that he is “extremely professional and technical” and he has “a deep experience in Latin America.” In previous editions of the guides, he has been lauded as “an impressive and tireless thought leader,” “an extremely well-known figure globally,” “a very thoughtful and service-oriented lawyer,” “a reassuring presence in tumultuous times,” “a calm, competent and thorough practitioner” and “brilliant, hard-working and thoughtful.” Clients are said to value his “encyclopedic knowledge” and his “ability to condense a complex situation into something understandable and manageable.” Mr. Levine is also ranked as a leading lawyer by The Legal 500 Latin America (2023), where clients describe him as “an amazing lawyer” and “the US lawyer that knows the Latin America compliance and investigation market the best.” In previous editions of the guide, he is described as a “superstar,” with clients noting that “he has a wealth of experience,” is “extremely articulate” and “he has an amazing analytical ability.” Latin Lawyer notes Mr. Levine’s “substantial work in Latin America,” recognizing him as one of the top lawyers active on anti-corruption matters in the region.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Stephanie Cipolla is an associate in the Litigation Department and a member of the firm’s Data Strategy & Security practice. Her practice focuses on cybersecurity and data privacy issues, including incident preparation and response. She can be reached at smcipolla@debevoise.com

Author

Michelle Shen is a law clerk in the Litigation Department. She can be reached at mcshen@debevoise.com.