Federal Contracts Bring Heightened Retaliation Risks For NPOs

Written exclusively for ChubbWorks for Not-for-Profit Zone

January 15, 2025

Penn State University agreed to pay $1.25 million to settle a whistleblower lawsuit alleging failure to comply with cybersecurity requirements in federal contracts.

Matthew Decker, former chief information officer at Penn State's Applied Research Laboratory, will receive $250,000 from the settlement.

The university was accused of violating the False Claims Act by not implementing required cybersecurity controls in contracts with the Defense Department and NASA.

According to the source:

In a written statement, Decker thanked his attorneys for their help in what he described as "likely a precedent-setting case." "I filed because there was nothing else I could do internally, and I had reached my limits of frustration and increasing personal risk in trying to resolve matters from within," Decker said. "After decades of loyalty to national defense, and with my understanding of the consequences of having our adversaries obtaining sensitive defense research information, it is unacceptable to me for any organization to falsely attest or even fabricate data asserting security and compliance with such sensitive information, which is produced on tax-payers dollars. It is also unethical for any organization to illegitimately knock others out of fair competition."

Penn State did not admit wrongdoing. https://www.centredaily.com/news/local/education/penn-state/article294431214.html (Oct. 23, 2024).

Commentary

In the above source, the claimed whistleblower protection is under the False Claims Act ("FCA").

The FCA includes provisions that protect whistleblowers from retaliation. This means that if an employee is fired, demoted, harassed, or otherwise discriminated against for reporting fraud, the whistleblower can file a retaliation claim under the FCA.

The source does not indicate whether the claims from whistleblower Decker led to a federal investigation. Under the laws of retaliation, even if the claims made by the whistleblower are not investigated or even viewed as true, the whistleblower is protected from retaliation.

The source also does not state whether Decker lost his job. Retaliation is not always in the form of a wrongful termination. Retaliation can include loss of a promotion; being demoted; losing security privileges or harassment.

Retaliation continues to carry the highest risk for employers.

Below is a list of opportunities of employment and terms from which retaliation claims can arise if a negative employment action is taken that affects the terms and conditions of employment, including:

  • Recruiting
  • Hiring
  • Promoting
  • Transferring
  • Training
  • Disciplining
  • Discharging
  • Assigning work
  • Measuring performance, or
  • Providing benefits.
Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Cyberattacks On Infrastructure Are Attacks On Everyone

A cyberattack on a water utility does not make headline news, but it is an ominous warning to all businesses. We explain.

Misconfigured Web Servers Lead To Breaches And Later To Liability

A medical claims processing company owes $6.49M to 600K inmates because of a misconfigured server. We explain.

Why Does This G-20 Nation Keep Sending Me Phishing?

The DOJ breaks up a Russian spear phishing campaign. We examine why spear phishing is still so effective. ?


This site uses essential/technical cookies to function. Cookies allow us to provide the best experience possible and must be enabled to use this site properly. By continuing to use this site, you agree to our use of cookies. Please see our Privacy Policy or How to Enable Cookies for more information.

An error has occurred. We have been notified and are working to resolve the problem. Please return to the front page and try this action again later.

Error!

An Error has ocurred on this site.

The error has been reported to our programmers and we are working to correct it. We generally get errors fixed overnight, so please feel free to try this action again tomorrow.