(TNS) — Penn State University has agreed to pay $1.25 million to settle a lawsuit brought by a whistleblower who claims the university failed to comply with cybersecurity requirements in more than a dozen federal contracts. .
Whistleblower Matthew Decker, former chief information officer at the university’s Applied Research Institute, will receive $250,000 from the settlement, the Justice Department announced in a press release Tuesday.
In a written statement, Decker thanked his attorneys for their cooperation in what he described as a “possibly precedent-setting case.”
“I filed because there was nothing else I could do internally and the frustration and increased personal risk of trying to resolve the issue from within reached a breaking point,” Decker said in a statement. “Having been loyal to our national defense for decades, we understand the consequences if an adversary obtains sensitive defense research information. It is unacceptable to me to falsely certify or even fabricate data that claims safety and compliance. This is produced with taxpayer dollars and unfairly deprives other organizations of Excluding them from competition is unethical.”
Penn State has not admitted any wrongdoing and no finding of liability has been made.
Penn State said Wednesday in an email to the Center Daily Times that the university wants to avoid costly litigation and address “any concerns that government sponsors may have related to this issue.” I wrote that it is.
“As a world-class academic research institution, Penn State values its relationships with research sponsors and takes its cybersecurity obligations seriously. The University complies with its obligations and continually improves and improves its cybersecurity practices. ” the university wrote. “More recently, Penn State has proactively adopted additional cybersecurity policies and systems to meet anticipated future obligations across the global research landscape.
“Our research sponsors have no indication that any non-classified information that is the subject of this matter has been compromised. Rather, the government’s concerns, following a thorough investigation, are primarily related to the implementation of specific controls. It focuses on documents that deal with data and information. ”
The university was charged with violating the False Claims Act by failing to comply with 15 contracts or subcontracts involving the Department of Defense or NASA.
The Department of Justice said Penn State did not implement contractually required cybersecurity controls from 2018 to 2023 and did not adequately develop a plan to remediate the deficiencies it identified.
Julie Blacker, one of Mr. Decker’s attorneys, said in an email to CDT Wednesday afternoon that the incident is “unfortunately all too common and a common occurrence in today’s world of cyberattacks, hacking, and attacks.” “It shows a cavalier attitude towards cybersecurity that can no longer be tolerated in an atmosphere of stability.” And violation. ”
“We were proud to represent Matthew Decker, who took the initiative to bring this matter to the attention of the government, even at the risk of sacrificing his own interests,” Blacker wrote. . “As one of the first cyber whistleblowers, his expertise was critical to this case. We hope this settlement demonstrates that the government takes these protections seriously and that cybersecurity is important to government contracts. We hope to pass the message on to other research institutions.”
Decker’s lawsuit alleges that Penn State did not appear to be working toward compliance, despite Decker warning key university officials multiple times. His filing alleges that some of the reports submitted by the university were template documents filled out simply to “tick a box.”
The Justice Department also wrote that Penn State does not use an outside cloud service provider that meets the Department of Defense’s security requirements for protected information.
Robert Steinau, NASA’s assistant inspector general for investigations, said in a statement: “Protecting sensitive NASA and Department of Defense data is critical to keeping it from falling into the wrong hands.” said. “The university’s failure to adequately address known flaws not only put sensitive information at risk, but also undermined the integrity of the government’s cybersecurity efforts.”
Decker served as ARL’s chief information officer from November 2015 to March 2023, according to LinkedIn. One month after leaving Penn State, he was named chief data and information officer at NASA’s Jet Propulsion Laboratory.
“I applied with the understanding that I would likely receive nothing in return,” Decker said. “The sacrifices my family and I made to recognize and correct this problem are immeasurable, but it was the right thing to do.”
©2024 the Center Daily Times, distributed by Tribune Content Agency, LLC.
