SolutionsHire top legal talent for any scope of workGet Started Contact us to find the best fit for any in-house or law firm role Testimonials Trusted by the world's leading legal departments FAQ Frequently asked questions about working with Legal.ioEmployer Resources Tools and guides for hiring managers A notable case involves Penn State University, which is accused of non-compliance with DoD cybersecurity obligations and falsely attesting to DFARS compliance since 2018.
In recent weeks, there has been a significant increase in cyber-related False Claims Act (FCA) activity. This surge in activity signals that contractors and universities should brace for additional scrutiny and potential whistleblower claims in this area.
One notable example is a qui tam lawsuit against Penn State University, which was unsealed on September 1, 2023. The lawsuit alleges non-compliance with Department of Defense (DoD) cybersecurity obligations. Specifically, it is claimed that Penn State University failed to provide “adequate security” for Covered Defense Information (CDI), as contractually required by the DFARS 252.204-7012 clause.
Under this clause, “adequate security” is defined as implementing all 110 controls outlined in NIST SP 800-171. Federal regulations require DoD contractors to conduct a self-assessment of compliance with these controls and report a compliance score in DoD’s Supplier Performance Risk System (SPRS).
The lawsuit alleges that Penn State falsified at least 20 documents related to its NIST SP 800-171 self-assessment and other self-attestations. Despite never reaching DFARS compliance, the university had been falsely attesting to compliance since January 1, 2018.
Furthermore, the lawsuit alleges sensitive information was put at risk when the university migrated some of its data to a commercial cloud-storage service. The relator in the case served as the interim Chief Information Officer at Penn State’s Applied Research Laboratory in 2015 and was a part of a team assigned to evaluate Penn State University’s compliance in early 2022.
Implications
These cases suggest that the number of enforcement actions and publicity associated with previously-sealed qui tam cases will continue to increase. They also signal that contractors and universities should brace for additional scrutiny in this area.
In light of these developments, it is crucial for organizations to examine their cybersecurity practices and ensure they are in compliance with all relevant regulations. This includes conducting regular self-assessments of compliance with controls such as those outlined in NIST SP 800-171.
Moreover, organizations must be transparent about their cybersecurity practices. Falsifying documents or attesting to compliance without actually meeting the necessary standards can lead to serious consequences, as seen in the Penn State case. Failure to comply with these standards can result in significant legal and financial consequences.
General Counsels discuss how they are incorporating ESG policies into their company-wide initiatives.
A look into the legal job market, and how COVID-19 has affected job prospects for individuals seeking work, based on data from The US Bureau of labor statistics, Indeed, LinkedIn, and the Legal.io Community.
The plea comes ahead of the trial of former FTX founder, Sam Bankman-Fried
Recent legal cases, including Scarlett Johansson's accusation against OpenAI and a class action lawsuit against LOVO, highlight the need for legal regulation in voice AI technology.
Legal Operations professionals talk through what legal metrics dashboards work for their teams.
The Federal Trade Commission's non-compete ban has been blocked nationwide after Texas Federal Judge Ada Brown ruled that the agency lacked the authority to enact the “unreasonably overbroad” regulation.
Published weekly on Friday, the Legal.io Newsletter covers the latest in legal, talent & tech.
Join our host and CEO, Pieter Gunst, as he explores the career journey of Stacy Lettie, Director of Legal Operations at Adtalem Global Learning.
LexisNexis has announced its acquisition of Belgian startup Henchman with the goal being to enhance its AI-powered legal solutions and integrate Henchman's advanced contract drafting capabilities.
