Penn State Cybersecurity False Claims Act Case: U.S. Government Signals Active Investigation

The federal government has declined to intervene – for now – in a recently unsealed case against Penn State that demonstrates the growing use of the False Claims Act in cybersecurity enforcement. The court gave the government a month to decide if it would intervene (take over) the whistleblower (relator)’s qui tam complaint. The United States filed its notice on September 29, stating that it “was not intervening at this time,” but that its “investigation remains active.”   

The government’s filing is standard fare when it is forced to decide before completing its investigation but wants to signal that intervention remains a possibility. The court had previously denied the government’s request for a fourth extension of the seal period and unsealed the complaint sua sponte. The government stated that it “is still obtaining and reviewing information produced pursuant to” Civil Investigative Demands. “Depending on the outcome of that review, the United States may need to take further investigatory actions before it is in a position to determine whether to proceed with the action.”

The relator in the case – the former Chief Information Officer of Penn State’s Applied Research Lab – alleges that Penn State submitted false certifications to the Department of Defense concerning compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) Special Publication 800-171. Based on the recent filing and the multiple motions to extend the seal period, the government is taking the complaint seriously.

That is no surprise. The case is in line with DOJ’s Civil Cyber-Fraud Initiative, which has emphasized cybersecurity enforcement through the FCA. The government’s position underscores the complexity of these types of cases, both from the cybersecurity and the FCA angle.

Only four other cases related to the Civil Cyber-Fraud Initiative have become public. One was a qui tam action in which the government chose not to intervene, but it was filed in 2017, years before the Initiative was put in place. The other three settled after protracted investigations, even though the relevant cybersecurity requirements were far less complex than in the Penn State case. 

• In March 2022, the government settled a lawsuit against Comprehensive Health Services LLC, a contractor that allegedly failed to securely store the health records of State Department and Air Force personnel. In that case, it took the government over four and a half years to intervene.
• In March 2023, the government settled a case against Jelly Bean Communications Design LLC, a contractor hired by the Florida Healthy Kids Corporation to design and host a website that complied with the Health Insurance Portability and Accountability Act (HIPPA). The settlement agreement suggests the government’s investigation began in or around 2020, following a hacking incident.
• In September 2023, the government settled with Verizon Business Network Services LLC on allegations that it failed to meet cybersecurity controls under the Trusted Internet Connections initiative, as required for its General Services Administration contracts. It appears Verizon self-disclosed the apparent violations to the government in or around 2021.

In a word, these types of investigations tend to take years, not months.  Considering the complexity of the cybersecurity requirements in the Penn State case – the relevant federal cybersecurity standards call for a self-assessment for over 100 requirements – the government will take a lot longer than the year that has passed since the complaint was filed in October 2022.

Whatever the outcome, the case is moving full steam ahead. The summons for Penn State to answer the relator’s complaint was issued on October 2, 2023.