DOJ's strong message to contractors: plug all cybersecurity holes

On Oct. 22, the Department of Justice announced that Penn State University will pay $1.25 million to settle charges it violated the False Claims Act by failing to comply with the cybersecurity requirements under multiple Department of Defense and NASA contracts. 

It is just the latest in a string of False Claims Act cases against universities and other federal contractors that fail to protect highly sensitive information. Those that do business with the government would be wise to get their data protection systems in order or they may find themselves next up on DOJ's cybersecurity hit list.

According to the government, this latest settlement centered on Penn State's failure to implement contractually required cybersecurity controls or take any action to correct known deficiencies. 

The government alleged the university submitted cybersecurity assessment scores that misrepresented when it would implement certain required cybersecurity controls and that it took no steps to actually implement them. The government further alleged the university failed to use an external cloud provider that met DoD’s security requirements for covered defense information.

It was only two months ago that DOJ filed a False Claims Act case against Georgia Tech alleging some of the same types of cybersecurity violations with the university's DoD contracts. 

This included submitting false cybersecurity assessment scores and failing to implement required cybersecurity controls. With these two actions, the government has made it clear that ensuring defense contractors comply with DoD's cybersecurity requirements is a top enforcement priority. 

 The government stressed this priority in promoting the Penn State settlement, noting that "as our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated." 

The government took an equally strong tone in trumpeting the Georgia Tech action, highlighting the "significant threat" to national security and the safety of our armed forces posed by "deficiencies in cybersecurity controls."

But the government's cybersecurity priority extends beyond defense information to protecting all kinds of sensitive information.

In June, for example, DOJ reached an $11.3 million False Claims Act settlement with Guidehouse and Nan McKay and Associates for allegedly failing to protect personal identifying information under their contracts to help secure federal rental assistance during the COVID-19 pandemic.

In May, DOJ reached a $2.7 million False Claims Act settlement with Insight Global for allegedly failing to implement adequate cybersecurity measures to protect health information under its government contract for COVID-19 contact tracing.

All these actions were part of the Cyber-Fraud Initiative DOJ launched in October 2021 to go after federal contractors that put sensitive information at risk through deficient cybersecurity products or services, misrepresenting cybersecurity practices or protocols, or breaching obligations to monitor and report cybersecurity incidents and breaches. 

The risk of getting caught up in these regulatory crosshairs is all the more real given the powerful incentives the False Claims Act provides whistleblowers to step forward. 

 Under the statute's qui tam provisions, private persons may bring lawsuits on behalf of the government against those that defraud the government. In return, successful whistleblowers are awarded a significant share of any government recovery (up to 30%). It is no wonder that whistleblowers originated all these enforcement actions.

In the Penn State action, the whistleblower was the former Chief Information Officer for Penn State’s Applied Research Laboratory. He will receive an award of $250,000, representing 20% of the government's recovery.

DOJ has not been shy in promoting the role these whistleblowers have played and the rewards they have received.  DOJ clearly wants to encourage those with inside information of potential cybersecurity violations to step forward. 

It also wants to send a strong message to government contractors to make sure their cybersecurity protocols are up to snuff.

Otherwise, they might be the headline of the next DOJ enforcement action in this area.

------------------------

Gordon Schnell is a partner in the New York office of Constantine Cannon, specializing in the representation of whistleblowers.