In recent weeks, there has been an uptick in news of cyber-related False Claims Act (“FCA”) activity. For example, on September 1, 2023, the court unsealed a qui tam lawsuit against Penn State University relating to allegations of non-compliance with Department of Defense (“DoD”) cybersecurity obligations. Separately, on September 5, 2023, the Department of Justice (“DOJ”) announced a multi-million dollar FCA settlement with Verizon under its Civil-Cyber Fraud Initiative (which focuses on leveraging the FCA to pursue cybersecurity related fraud by government contractors and grant recipients, as we previously discussed here). These and other cases suggest—as many had been speculating—that the number of enforcement actions and publicity associated with previously-sealed qui tam cases will continue to increase. They also signal that contractors and universities should brace for additional scrutiny and potential whistleblower claims in this area.
Whistleblower Allegations Relating to DFARS Cybersecurity Compliance
On September 1, 2023, the U.S. District Court for the Eastern District of Pennsylvania unsealed a qui tam FCA lawsuit (originally filed on October 5, 2022) alleging Penn State University failed to provide “adequate security” for Covered Defense Information (CDI), as contractually required by the DFARS 252.204-7012 clause. Under this clause, “adequate security” is defined as (at least) implementing all 110 controls outlined in NIST SP 800-171. Moreover, federal...
On 23 March 2026, US President Donald Trump posted on a social media platform, Truth Social, that Washington and Tehran were engaged in productive negotiations. Within an hour, oil prices fell by n...