Report on Research Compliance 21, no. 12 (December, 2024)
Note to research compliance officials still digesting news of Pennsylvania State’s recent $1.25 million settlement over False Claims Act (FCA) allegations related to cybersecurity and the government’s recent intervention in a similar case against Georgia Institute of Technology:
Julie Bracker, the Georgia attorney who brought both cases, said she has filed 10 additional whistleblower suits that are still secret, awaiting the government’s decision about whether it will intervene. These two represent the first FCA cases involving alleged cybersecurity failures related to the performance of research awards or contracts prosecuted under the Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative.
Undoubtedly, the organizations named in Bracker’s suits still under seal already know they are targets. But the volume of pending cybersecurity enforcement cases has not been disclosed previously. The number Bracker has filed clearly presents multiple options for the government to more easily pursue cybersecurity cases, as whistleblower suits typically lay strong groundwork to support allegations. Moreover, Bracker is just one attorney; others may also have similar suits under seal.
Additionally, DOJ may be pursuing cases it initiated—all of which underscore the heightened enforcement risk research institutions now face in the area of cybersecurity and the need for them to redouble their compliance efforts.
Bracker, a partner with Bracker & Marcus LLC, filed the Georgia Tech case on July 21, 2022; the government intervened on Feb. 20 of this year but did not file its complaint until Aug. 22, at which point the case was unsealed and became public. This case is heading toward trial, in contrast to Penn State’s. The most recent development is that Georgia Tech and a related research corporation filed a motion to dismiss the suit.[1] Attorneys in this case argue that information at issue stemmed from fundamental research that doesn’t need heightened security safeguards.
She sued Penn State on Oct. 5, 2022, but that litigation was unsealed more quickly than the Georgia Tech case. It was made public a year later by a seemingly impatient judge; at that point, DOJ had not yet intervened. DOJ’s intervention took the form of the settlement agreement it announced Oct. 22.[2]
Bracker called the Penn State and Georgia Tech cases “very similar in that they’re against academic research institutions who are not making sure that principal investigators are properly taking care of government controlled unclassified information.”
The whistleblower, or relator, in the Penn State case is Matthew Decker, the chief information officer (CIO) at Penn State’s Applied Research Lab from November 2015 to March 2023. For an eight-month period in 2016, he also served as Penn State’s interim CIO and vice provost. Since April 2023, Decker has been the chief data and information officer at NASA’s Jet Propulsion Laboratory.
His share of the $1.25 million is $250,000. Separately, Penn State agreed to pay Bracker’s firm $150,000.
This story focuses on allegations underpinning the settlement and the legal steps leading up to it. Future issues of RRC will explore challenges and recommendations related to systemwide cybersecurity safeguards applicable to certain research information.
As described in the settlement, DOJ alleged that Penn State failed to implement requirements under National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, in connection with 15 contracts or subcontracts that called for the “collection, development, receipt, transmission, use, or storing of unclassified information…known as Covered Defense Information or Controlled Unclassified Information.”[3]
DOJ: Penn State Noncompliant From 2018-2023
The Department of Defense (DoD) also requires contractors and subcontractors to post summary-level scores of a current SP 800-171 assessment to the Supplier Performance Risk System (SPRS). DOJ contended Penn State violated the FCA because it submitted or caused to be submitted false claims based on its “alleged failure, during the period from January 2018 to November 2023, to implement certain NIST SP 800-171 controls.”
Beginning in November 2020, “Penn State disclosed in its submissions to the SPRS that it had not implemented certain NIST SP 800-171 security requirements” but also “allegedly knowingly misstated, in its submissions to the SPRS, the dates by which it expected to implement all 110 of NIST SP 800-171’s requirements for those systems and failed to pursue plans of action for their implementation,” according to the settlement.
Also applicable are Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7008 and 252.204-7012, which require DoD contractors and subcontractors to provide adequate security on all covered contractor information systems, according to the government. DOJ alleged that, for some of the 15 contracts or subcontracts, “Penn State did not use an external cloud service provider that met the security requirements” under DFARS 252.204-7012 and failed to meet other related requirements.
The whistleblower suit noted that “there is no certification body or official audit procedure to determine whether a contractor is adhering to NIST 800-171 requirements. Instead, contractors must conduct a self-assessment and self-attest to compliance. This involves a points-based system of self-assessment against the 110 requirements outlined in the NIST 800-171, scoring compliance with each of the individual requirements.”
Whistleblower: Suit Was Last Resort
The suit recounted Decker’s successful efforts to have the Applied Research Lab meet cybersecurity requirements dating back to 2016 and how he was stymied and thwarted when it came to assisting with Penn State’s overall compliance, particularly after he discovered in 2019 that Penn State’s “risk assessment scores, artifacts, and incomplete records entered into SPRS were knowingly false and were added merely to `check the box’ so that there would be no `missing’ records,” according to his suit.
In a statement Bracker provided to RRC after the settlement was announced, Decker said he “filed because there was nothing else I could do internally, and I had reached my limits of frustration and increasing personal risk in trying to resolve matters from within. After decades of loyalty to national defense, and with my understanding of the consequences of having our adversaries obtaining sensitive defense research information, it is unacceptable to me for any organization to falsely attest or even fabricate data asserting security and compliance with such sensitive information, which is produced on tax-payers dollars. It is also unethical for any organization to illegitimately knock others out of fair competition. I filed with the understanding that there was a high probability of receiving nothing in return. The sacrifice my family and I have made to get this noticed and corrected is immeasurable, but it was the right thing to do.”
Bracker told RRC Decker has been apart from his family since he took the NASA job, which is based in California. His family remains in Pennsylvania.
Penn State did not admit wrongdoing nor address allegations that it was noncompliant or engaged in FCA violations. The settlement does not oblige it to do anything other than make the payments. In contrast, DOJ’s $7.6 million settlement earlier this year with Cleveland Clinic over FCA allegations includes requirements imposed by NIH that it “create a mandatory training program addressing requirements for disclosing other grant support, research security, and cyber security.”[4]
This case centered on allegations that a researcher did not report foreign support and that Cleveland Clinic employees using shared logins entered information for him, a violation of NIH password policies. Michael Lauer, NIH deputy director for extramural research, later issued a reminder about “cyber honesty” and warned that NIH may require “return of awarded grant funds,” impose terms and conditions on awards and require other corrective actions if it is determined that awardees are inappropriately accessing eRA Commons, the federal government’s grants management system.[5]
Penn State: Concerns Focused on ‘Documentation’
Bracker told RRC that Penn State, as a result of the settlement, “is under heightened scrutiny” by federal awarding agencies “and other contracting partners,” noting that “cybersecurity obligations will continue to be part of applicable contracts going forward.”
“Because cybersecurity is of critical importance, I feel confident that its contracting partners will be looking beyond its self-attestations to ensure that the institution is meeting its obligations. In my experience, bringing light to the area and calling attention to the failure is, hopefully, enough to ensure compliance,” she added.
Penn State did not respond to questions from RRC but instead sent the following statement about the settlement:
“As a world-class academic research institution, Penn State values its relationships with its research sponsors and takes seriously its cybersecurity obligations. The University has devoted significant resources to complying with its obligations—and to continuously improving and enhancing its cybersecurity measures. Most recently, Penn State proactively adopted additional cybersecurity policies and systems to meet anticipated future obligations across the global research landscape. There is no suggestion by our research sponsors that any of the non-classified information that has been the subject of this matter was ever compromised. Rather, the government's concerns—following its thorough investigation—primarily focus on the documentation related to implementing specific controls for handling data and information. The University’s settlement of this matter is not an admission of wrongdoing. The University wishes to avoid costly and distracting litigation and to address any concerns our government sponsors may have related to this matter.”
Among the questions Penn State did not answer concerns the basis for the $1.25 million payment, as neither the whistleblower suit nor the DOJ settlement offers any insights. Bracker told RRC the amount partly reflects “the contracts that were determined to be an issue.”
Universities Part of Cases Under Seal?
Bracker referenced other pending cases during a Sept. 10 podcast about the Georgia Tech case. “I’ve got about 10 of these under seal that we don’t [get to] talk about right now,” she said.[6] In the comments below the YouTube posting of the podcast, host Jacob Hill said Bracker told him that eight of the 10 cases “relate to NIST 800-171.”
RRC asked Bracker if the cases center on cybersecurity failures at universities involving federal funding. “I can’t speak about cases that have been filed but are under seal,” she replied.
In a different podcast with Hill about the Penn State case, Bracker explained some of the twists and turns occurring during the two-year period from the time her Penn State suit was filed until the settlement was announced.[7]
The FCA statute gives the government 60 days to make an intervention decision once the relator suit has been filed, Bracker explained; extensions are usually necessary and granted. “Everybody who works in this space knows that [60 days] is absurd,” she said. “If I am lucky, I will have a team assembled on the government side, and they will have conducted their first interview of the relator within that first 60 days.”
States, as well as numerous federal agencies, may be involved in cases, which can complicate and lengthen them. In addition to DoD, the Penn State case involved NASA, the Defense Advanced Research Projects Agency, the Missile Defense Agency, the Army, Navy and Air Force.
Use of Magistrate Kept Suit Alive
At one point in the Penn State case, DOJ attorneys asked for another six-month extension that was not granted, Bracker said, a surprising ruling. “We were like, ‘excuse me...this is a complex case’” and part of a “brand new cyber fraud initiative [and] the attorneys for Penn State were actively working with the Department of Justice on its investigation. Nobody was at loggerheads.”
She said that “having some kind of regular check-in with the court is not a bad thing. But when we get situations like Penn State where the court says you’re done, and neither the defendant nor the relator, nor the Department of Justice felt that they were done, then what?”
Bracker “would love to see [the timelines made] more reasonable because now you’re off to the races asking the court for an extension,” she said. “And the problem is, it’s not one court.” The cases involved “two different judges with different views on extensions.”
The Penn State case “came out from under seal…because the judge in the Penn State matter decided that they had had enough extensions, and it was time for the case to be public,” she said.
Rather than DOJ being forced to declare that it wasn’t intervening at that point, a back-up plan was activated, which involved all parties agreeing to transfer the case to a magistrate judge to oversee, a situation Bracker called “uncommon.”
The case was assigned to a magistrate previously involved in an FCA case; the magistrate granted extensions that allowed DOJ to continue its investigation and reach a settlement, she said.
“I’m not able to say a whole lot about” the settlement process, Bracker said. “The bottom line is that the government never expressed disinterest in the Penn State case. They never declined it. They went forward with it, even in those circumstances where it would’ve been easy enough to just decline it …the fact that they [agreed to use a magistrate], I think, speaks volumes to how important these issues are for the Department of Justice and for those agencies whose contracts they're trying to protect.”
1 Theresa Defino, “U.S., GA Tech Tussle Over FCA Allegations, Cybersecurity,” Report on Research Compliance 21, no. 12 (December 2024).
2 U.S. Department of Justice, Office of Public Affairs, “The Pennsylvania State University Agrees to Pay $1.25M to Resolve False Claims Act Allegations Relating to Non-Compliance with Contractual Cybersecurity Requirements,” news release, October 22, 2024, https://bit.ly/4efMFfW.
3 Settlement agreement, U.S. ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895 (E.D. Pa., 2024), https://bit.ly/48VNcCW.
4 Theresa Defino, “Cleveland Clinic Pays $7.6M Related to PI Whose Charges Were Dropped; ‘He Was Treated Horribly,’” Report on Research Compliance 21, no. 7 (July 2024), https://bit.ly/4d6cajJ.
5 Theresa Defino, “FCA Settlement Prompts NIH Reminder on ‘Cyber Honesty,’” RRC E-Alerts , October 17, 2024, https://bit.ly/40StcPI.
6 GRC Academy, “Georgia Tech Cybersecurity False Claims Scandal: Meet the Whistleblowers,” YouTube video, 41:35, September 10, 2024, https://bit.ly/3YT2weN.
7 GRC Academy, “Penn State Cybersecurity False Claims Scandal: Meet the Whistleblowers,” YouTube video, 44:23, November 11, 2024, https://bit.ly/3ACc0Dn.
[View source.]
