Caught in the crosshairs of compliance, Penn State's recent lawsuit is more than just a headline—it's a cautionary tale for the academic world.
Very recently, R1 universities find themselves grappling with new compliance challenges as the federal government suits up and zones in on strengthening its cybersecurity posture.
So, what went wrong at Penn State, and what can other institutions glean from their missteps?
According to SC Media, the U.S. government is suing Penn State University under the False Claims Act. The gov claims that Penn State misled or lied about following government cybersecurity requirements when they worked on federal contracts. The lawsuit is based on claims made by Matthew Decker, the chief information officer (a high-ranking IT official) at a Penn State research lab. He also had a temporary high-ranking IT position at Penn State in 2016.
Penn State, like many other institutions that work with the defense department, handles CUI (Controlled Unclassified Information) - sensitive data that isn't top-secret, but still needs to be managed securely. Institutions like Penn are required to prove they’re protecting controlled unclassified information by following guidelines made by the National Institute for Standards and Technology (NIST), including NIST 800-171 compliance which is a codification of cybersecurity requirements that must be followed when handling CUI. This involves 22 specific rules that cover things like digital security, physical protection, audits, risk checks, and ensuring everything is set up securely
Right now, many organizations just have to assure the government they're following these rules. But the government and Decker say Penn State has been lying about following these rules.
The lawsuit alleges that although Penn State claimed they were following the rules since December 31, 2017, they weren't. Decker claims that after he left his temporary role, he noticed missing records for some university projects. Instead of properly addressing this, the university just uploaded template documents to pretend like they had the proper records.
In 2020, Penn State changed their cloud storage service to one that wasn't approved by the federal government. In 2022, when there were concerns about Penn State's contracts with NASA, Penn State's new temporary IT head said they were compliant with NIST 800-171 security standards because of a specific university policy. But a later review showed that Penn State hadn't been compliant for a while… since January 1, 2018 to be exact.
This lawsuit against Penn State is part of a bigger effort by the U.S. Department of Justice. They're trying to make sure that government contractors and subcontractors are honest about their cybersecurity efforts. For many, it feels like a shockwave of many recent attempts by the federal government to prioritize cybersecurity, evidenced by executive orders, publicized security strategies, state and local cyber grants, and tightened security requirements like CMMC 2.0, FTC Safeguards, and more. R1 institutions feel the aftershock, particularly ones that do research for federal agencies like the Department of Defense (DoD).
The government started a new effort to investigate false claims related to cybersecurity in government contracts. The goal is to find and discourage weak cybersecurity practices in companies that work with the government. It’s simple; weak practices could lead to government systems being compromised and sensitive information being exposed.
A different contractor named Aerojet Rocketdyne faced a similar lawsuit from the Department of justice in 2022, but that case ended in a $9 million settlement and ultimately dodged “example making.” A clear precedent was never set as a result.
The Penn State lawsuit sends a resonating signal across the R1 university landscape: the stakes for compliance have never been higher. The heightened scrutiny from the Department of Justice underscores the baseline criticality of maintaining robust cybersecurity measures. For R1 institutions, this isn't just about averting lawsuits or penalties, but fundamentally about their core mission.
Research, often at the frontier of innovation and impacting global change, relies heavily on partnerships, funding, and collaborations with governmental entities. Non-compliance not only tarnishes reputations but can jeopardize these valuable partnerships, halting research efforts and stymieing academic progress.
It’s a watch-and-learn process. Here’s what you should be taking away from this incident, so your university doesn’t experience the same:
Incidents like Penn State's drive home a point: data protection in top-tier institutions like R1 universities isn't optional. With a mix of student records and groundbreaking research data, the stakes are far too high.
This is where a focused, data-centric approach to security becomes a game-changer. Virtru simplifies this. Instead of a blanket approach, it zeroes in on data at the object level, ensuring it’s protected and in your control whether in a complex system or on the move. It’s like having your unstructured data on a leash, with access controls always at your disposal even when the data has left your perimeter.
What sets Virtru apart? It's the smart automation, like instantly encrypting sensitive emails, which cuts down on mistakes. And if you're watching the budget, it's a more affordable choice than options like GCC High. The transition? Easier than you'd think, with Virtru's seasoned team guiding the way. It's more than a tool—it's a partnership built to understand the unique challenges of R1 institutions.
Looking to boost your data protection and meet standards like CMMC 2.0? Reach out to our team today.