According to a recent government Press Release, Guidehouse Inc, headquartered in McLean, Virginia, and Nan McKay & Assoc. (Nan McKay), based in El Cajon, California, have agreed to pay $11.3 million to resolve allegations that they failed to meet cybersecurity requirements while administering New York’s Emergency Rental Assistance Program during the COVID-19 pandemic. This stands as the largest-ever cybersecurity False Claims Act settlement in history.
What is the Emergency Rental Assistance Program?
In early 2021, Congress launched the Emergency Rental Assistance Program (ERAP) to provide financial aid to low-income households, covering rent, utilities, and other housing-related expenses. States were responsible for establishing programs to distribute these federal funds. In New York, the Office of Temporary and Disability Assistance (OTDA) was tasked with administering the program. OTDA contracted Guidehouse as the prime contractor. Guidehouse, in turn, subcontracted with Nan McKay to deliver and maintain the technology product used for the online application process.
Guidehouse and Nan McKay’s Cybersecurity Failures
Both entities shared the critical responsibility of ensuring the ERAP application underwent rigorous pre-production cybersecurity testing. Guidehouse and Nan McKay, however, admitted to neglecting this essential task. As a result, when the ERAP went live on June 1, 2021, it took only twelve hours for the OTDA to discover the companies’ cybersecurity failures. OTDA learned that the ERAP applicants’ personally identifiable information (PII) had been compromised and was accessible on the internet. Upon this discovery, OTDA shut down the site. In addition, Guidehouse admitted to using a third-party data cloud software program to store PII without OTDA’s consent. This was a further violation of the contract.
Cybersecurity False Claims Settlement is Part of a DOJ Initiative
The Department of Justice announced the Civil Cyber-Fraud Initiative in October 2021. The Initiative encourages the use of the False Claims Act to hold entities accountable for cybersecurity failures. The False Claims Act is a law that allows whistleblowers to sue persons or entities that are defrauding the government and recover damages and penalties on the government’s behalf. If the suit leads to a financial recovery to the government, as it did here, the whistleblower can share in the recovery. (You can learn more about the types of cybersecurity fraud that whistleblowers can report here).
Elevation 33 LLC, owned by a former Guidehouse employee, filed the whistleblower lawsuit leading to this investigation.
According to the government, Guidehouse will pay $7.6 million and Nan McKay will pay $3.7 million. As its whistleblower reward, Elevation 33, LLC will receive $1.9 million.
Federal Contractors Must Take Cybersecurity Seriously
This incident serves as a cautionary tale for organizations involved in handling sensitive information. It highlights the necessity of robust cybersecurity measures to protect data integrity and privacy. In the digital era, neglecting such responsibilities not only jeopardizes the security of personal information but also leads to significant financial and reputational consequences for the entities involved.
Contractors who receive federal funding must take their cybersecurity obligations seriously. We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.
-U.S. Attorney Carla B. Freedman for the Northern District of New York
Trial Attorney J. Jennifer Koh of the DOJ Civil Division’s Commercial Litigation Branch, Fraud Section and Assistant U.S. Attorney Adam J. Katz for the Northern District of New York handled this matter, with assistance from the Department of the Treasury OIG and the Office of the New York State Comptroller.
We Help Whistleblowers Report Cybersecurity Failures
Whistleblower Law Collaborative LLC, based in Boston, devotes its practice entirely to representing clients nationwide in bringing actions under the federal and state False Claims Acts and other whistleblower programs. If you know a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, contact us for a confidential consultation.
Our attorneys include several former federal prosecutors with experience safeguarding sensitive government information. We can discuss your concerns in a confidential and secure setting. We can also advise you on the best options to prevent critical information and data from falling into the wrong hands.
