Penn State pays DoJ $1.25M to settle cybersecurity compliance case Pennsylvania State University has agreed to pay the Justice Department $1.25 million to settle claims of misrepresenting its cybersecurity compliance to the federal government and leaving sensitive data improperly secured. The settlement order between the DoJ and Penn State resolves allegations from a court case filed two …
Homeowner, complaining to housepainter: "Dude! I paid you to paint the entire exterior of my house, not just the front! You said you did the whole thing, but you didn't! What gives?!"
Painter: "Significant quantities of paint were utilized in the re-covering of this house. There is no evidence that anything significant escaped through the currently-not-re-covered areas."
Homeowner: "I'm calling my lawyer." <beep-boop-boop-beep-beep> <long pause> "Ya know? Fuck it." <hangs up phone, looks carefully at the housepainter> <HEADBUTT> <LEFT JAB> <LEFT JAB> <RIGHT CROSS> <HOP> <HOP> <KNEE-TO-THE-CROTCH>.
It sounds like Penn State we're given opportunity to carry out remedial actions, but didn't do so.
Easy win for DoJ and probably still cheaper than the remediation work costs for Penn State.
That said, when you have something like a NIST Standard to follow, they are pretty clear and concise about what's required and are pretty agnostic on how you go about implementing the requirement.
Also, don't ever tell any Federal Agency you've done something when you haven't, it will bite you in the rear at some stage in the future!
"Penn State abandoned its contract with **government-compliant** cloud host Box in favor of OneDrive, which doesn't meet NIST's CUI security requirements, to save money"
I've been there countless times with UK universities, that get IT to do their Information Governance. IT make a decision without consultation and when it all kicks off when they tell users to move data to the new repository they off the advice "go back to the stakeholder, explain that there is no difference in security". I can guarantee IT would have said "will it be okay if you encrypt the data on one drive?".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
