Matthew Decker is the former chief information officer of Penn State University's Applied Research Laboratory. Since October, he is also $250,000 richer.
In his position at Penn State, Decker was well-positioned to see that the university was not implementing all of the cybersecurity controls required under its various contracts with NASA and the Department of Defense (DoD). For example, it did not use a third-party cloud services provider that met Defense Department security guidelines, and it distorted some of the self-submitted “scores” it had given to the government on Penn State's IT security.
So Decker sued the school under the False Claims Act, which allows private individuals to file lawsuits on behalf of the government against organizations if they encounter evidence of misconduct related to government contracts. In many of these cases, the government later steps in to help with the case (as happened here), but whether they do or not, whistleblowers can collect a percentage of the fines if they win.
In October, Penn State agreed to a $1.25 million settlement with the government; Decker got $250,000 of the money.
On the regular
This now happens with some regularity in IT. In November, Dell, Dell Federal Systems and Iron Bow Technologies settled with the government for $4.3 million over claims that they “violated the False Claims Act by submitting and causing uncompetitive bids to the military and thereby overcharging the Army under the Army Desktop and Mobile Computing 3 (ADMC-3) contract.”
But again, this wasn't something the government discovered on its own; a whistleblower named Brent Lillard, who was an executive at another company in the industry, filed the first complaint. For his work, Lillard earned just $345,000.
In early December, Gen Digital (formerly Symantec) paid a much higher compensation – $55.1 million – after losing a lawsuit in 2022. Gen Digital/Symantec was found liable for charging higher prices to the government than to companies.
Once again, the issue was exposed by a whistleblower, Lori Morsell, who oversaw the contract for Gen Digital/Symantec. Morsell's reward has not yet been determined by the court, but given the amount of the payout it should be significant.
False Claims Act goes digital
Because of the complexity of investigating – or even discovering – technical glitches and False Claims Act cases from outside an organization, the government is increasingly relying on whistleblowers to initiate these types of IT cases.
