Securities Attorney for Going Public Transactions

Securities Lawyer Blog

knowledge itself is power

Consulting Companies to Pay $11.3M for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract

Monday, June 17, 2024 — The Office of Public Affairs has announced that Guidehouse Inc. and Nan McKay and Associates (Nan McKay) have agreed to pay a combined total of $11.3 million to resolve allegations of violating the False Claims Act. The violations stemmed from their failure to meet cybersecurity requirements in a contract aimed at securing a safe environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic.

Background

In early 2021, Congress established the Emergency Rental Assistance Program (ERAP) to help eligible low-income households with rent, utilities, and other housing-related expenses during the COVID-19 pandemic. New York’s Office of Temporary and Disability Assistance (OTDA) was responsible for administering the ERAP in the state. Guidehouse Inc., headquartered in McLean, Virginia, was the prime contractor responsible for the ERAP technology and services in New York. Nan McKay, based in El Cajon, California, served as Guidehouse’s subcontractor and was tasked with delivering and maintaining the ERAP technology product for online applications.

Cybersecurity Failures and Data Breach

Guidehouse and Nan McKay were jointly responsible for ensuring that the ERAP Application underwent necessary cybersecurity testing before its public launch. However, both companies admitted to failing to complete the required pre-production cybersecurity testing. As a result, the ERAP website went live on June 1, 2021, but was shut down 12 hours later when it was discovered that applicants’ personally identifiable information (PII) had been compromised and was accessible on the internet. The companies acknowledged that proper cybersecurity testing could have detected and prevented the breach.

Additionally, Guidehouse admitted to using a third-party data cloud software program to store PII without obtaining OTDA’s permission, violating their contractual obligations.

Financial Penalties and Settlements

  • Guidehouse Inc. paid $7,600,000 to resolve the allegations.

  • Nan McKay and Associates paid $3,700,000 to resolve the allegations.

The settlements also provided for a whistleblower, Elevation 33 LLC, an entity owned by a former Guidehouse employee, to receive $1,949,250 of the settlement amounts for their role in uncovering the violations.

Statements from Officials

Principal Deputy Assistant Attorney General Brian M. Boynton emphasized the importance of complying with cybersecurity obligations tied to federal funding, stating, “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”

U.S. Attorney Carla B. Freedman for the Northern District of New York added, “Contractors who receive federal funding must take their cybersecurity obligations seriously. We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”

Acting Inspector General Richard K. Delmar of the Department of the Treasury remarked on the critical nature of data integrity, especially in programs vital to government pandemic recovery efforts.

New York State Comptroller Thomas P. DiNapoli highlighted the importance of safeguarding personal information and maintaining the integrity of rental assistance programs.

Civil Cyber-Fraud Initiative

This case aligns with the Department of Justice’s Civil Cyber-Fraud Initiative, announced on October 6, 2021, which seeks to hold entities accountable for cybersecurity deficiencies that jeopardize sensitive information. The initiative focuses on ensuring that contractors and grantees uphold their cybersecurity commitments.

Conclusion

This settlement sends a clear message to contractors about the serious consequences of failing to meet cybersecurity requirements. It underscores the importance of maintaining rigorous cybersecurity practices, particularly when handling sensitive personal information in federally funded programs.

For more information on this case and to learn about how to report cyber fraud, visit the Department of Justice website.

Stay tuned to our blog for more updates on legal news and insights into cybersecurity and compliance.

Gayatri Gupta