Penn State Cybersecurity Violations Related to Federal Contract Cost $1.25 Million

The Record reports that Penn State University has been fined $1.25 million for failing to meet cybersecurity standards stipulated in its federal contracts with the Department of Defense (DoD) and NASA.

The fine settles Decker v. Pennsylvania State University. Between 2018 and 2023, fifteen contracts identified non-compliance issues. The university failed to implement mandatory cybersecurity controls, including misrepresenting the timing of planned corrective actions.

Universities entering into federal contracts are often subject to strict cybersecurity requirements due to the sensitive nature of government data. In 2021, the Department of Justice introduced the Civil Cyber-Fraud Initiative, which focuses on holding federal contractors accountable for cybersecurity breaches and calls for legal action in the event of failure to safeguard government data.

The Department of Justice (DOJ) says that Penn State acknowledged its cybersecurity deficiencies but failed to rectify them within the specified timeline and then made misleading claims about its compliance efforts. Additionally, it neglected to use a cloud service provider that met DoD standards for defense-related data.

The settlement results from a lawsuit filed under the False Claims Act’s whistleblower provisions. Matthew Decker, the former CIO of Penn State’s Applied Research Laboratory, will receive $250,000 for reporting the cybersecurity breaches.

The outcome reflects the DOJ’s heightened scrutiny under the Civil Cyber-Fraud Initiative and the potential financial and reputational damage at stake. For law firms and legal departments, ensuring their clients’ proactive alignment with government contract security requirements will mitigate risks, uphold data integrity, and protect contractors from penalties.