Penn State University has agreed to pay a $1.25 million settlement after its former Director of IT and CIO, Matthew Decker, raised cybersecurity compliance issues. Decker, who served at the university’s Applied Research Laboratory from November 2015 to March 2023 and briefly as Interim CIO and Vice Provost for the university in 2016, filed a whistleblower lawsuit under the False Claims Act. For his role in bringing the violations to light, Decker will receive a $250,000 payout from the settlement.
The DOJ found that Penn State admitted to cyber shortcomings in federal audits but failed to develop or implement plans to fix them. Although the university denied liability, it settled the case to avoid further litigation.
Why It Matters: The case demonstrates the high stakes involved when universities with federal contracts fail to meet cybersecurity requirements. As part of the DOJ’s ongoing enforcement under the Civil Cyber-Fraud Initiative, this settlement signals heightened scrutiny of cybersecurity compliance across higher education institutions.
- A Whistleblower Lawsuit: Decker served as Director of IT and CIO at the Applied Research Laboratory from 2015 to 2023, with a nine-month stint as Interim CIO/Vice Provost for the university in 2016. His whistleblower complaint alleged cybersecurity violations that resulted in the $1.25 million settlement.
- DOJ’s Findings: The DOJ found that Penn State misrepresented timelines for compliance and used unapproved cloud services. The university acknowledged documentation issues but denied that any classified information was compromised.
- $250K Whistleblower Reward: Under the False Claims Act, Decker will receive $250,000 from the $1.25 million settlement for reporting the violations.
- Broader DOJ Enforcement: The case is part of the DOJ’s Civil Cyber-Fraud Initiative, launched in 2021 to ensure organizations protect federal data. A similar lawsuit was recently filed against Georgia Tech.
- Penn State’s Response: While settling the lawsuit, Penn State said it strengthened its cybersecurity policies to meet future requirements, stressing that no sensitive data had been compromised.
