In today’s digital world, where 1 in 3 Americans were affected by a healthcare data breach in 2023, ensuring cybersecurity compliance in government contracts is more crucial than ever. Yet, violations still occur, sometimes with significant consequences. The Pennsylvania State University (Penn State) recently paid $1.25 million to settle allegations of violating the False Claims Act. This settlement highlights the indispensable role of cyber-fraud whistleblowers in exposing non-compliance. False Claims Act qui tam whistleblowers typically receive a portion of the government’s recovery, between 15-25% of the settlement. The whistleblower in this case was the former chief information security officer for Penn State’s Applied Research Laboratory, and they will receive $250,000 or 20% of the settlement.

The Case Against Penn State

Between 2018 and 2023, Penn State allegedly failed to meet cybersecurity obligations in fifteen contracts or subcontracts with the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA).

Key Allegations

Failure to Implement Required Cybersecurity Controls: Despite contractual obligations, Penn State did not implement required cybersecurity measures.

Misrepresentation of Compliance: The university submitted cybersecurity assessment scores that inaccurately reflected compliance timelines and plans.

Non-compliant Cloud Service Use: Penn State allegedly used an external cloud service provider that did not meet DoD security standards.

Why Cyber-Fraud Whistleblowers Matter

Whistleblowers such as the former CISO in this case ensure that organizations adhere to cybersecurity requirements, protecting sensitive information and national security interests. The Principal Deputy Assistant Attorney General said about the case, “Universities that receive federal funding must take their cybersecurity obligations seriously.” The Assistant Inspector General for Investigations of NASA’s Office of Inspector General emphasized, “Safeguarding sensitive NASA and DoD data is crucial to ensuring that it does not fall into the hands of our adversaries or bad actors. The University’s inability to adequately address known deficiencies not only put sensitive information at risk but also undermined the integrity of our government’s cybersecurity efforts.”

Understanding the False Claims Act and Qui Tam Whistleblowers

The False Claims Act (FCA) is a key legal tool used to combat fraud against government programs. Within this framework, qui tam provisions empower individuals, known as relators, to file lawsuits on behalf of the government when they uncover fraudulent activities. These whistleblowers are instrumental in holding organizations accountable and ensuring taxpayer dollars are used as intended. Cyber-fraud whistleblowers are the unsung heroes who ensure accountability, protect public resources, and promote a culture of compliance. With the DOJ’s announcement of the Civil Cyber-Fraud Initiative in 2021, cybersecurity whistleblowers are more important than ever.