Consulting Companies to Pay $11.3M for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract

Guidehouse Inc., headquartered in McLean, Virginia, has paid $7,600,000 and Nan McKay and Associates (Nan McKay), headquartered in El Cajon, California, has paid $3,700,000 to resolve allegations that they violated the False Claims Act by failing to meet cybersecurity requirements in contracts intended to ensure a secure environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic.

In early 2021, Congress established the emergency rental assistance program (ERAP) to provide financial assistance to eligible low-income households to cover the costs of rent, rental arrears, utilities and other housing-related expenses during the COVID-19 pandemic. Participating governments were required to establish programs to distribute the federal funding to eligible tenants and landlords. In New York, the Office of Temporary and Disability Assistance (OTDA) was the state agency responsible for administering New York’s ERAP. In May 2021, Guidehouse and OTDA entered a contract under which Guidehouse, as the prime contractor, assumed responsibility for the New York ERAP, including for the ERAP technology and services provided to New Yorkers. Nan McKay, in turn, served as Guidehouse’s subcontractor and was responsible for delivering and maintaining the ERAP technology product used in New York to fill out and submit online applications requesting rental assistance (ERAP Application).

Guidehouse and Nan McKay shared responsibility for ensuring that the ERAP Application underwent cybersecurity testing in its pre-production environment before it was launched to the public. As part of the settlements announced today, Guidehouse and Nan McKay admitted that neither satisfied their obligation to complete the required pre-production cybersecurity testing. The state’s ERAP went live on June 1, 2021. Twelve hours later, OTDA shut down the ERAP website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet. Guidehouse and Nan McKay acknowledged that had either of them conducted the contractually-required cybersecurity testing, the conditions that resulted in the information security breach may have been detected and the incident prevented.

In addition, as part of its settlement, Guidehouse admitted that for a short time period in 2021, it used a third-party data cloud software program to store personally identifiable information without first obtaining OTDA’s permission, in violation of its contract.

“Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department's Civil Division. “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”

“Contractors who receive federal funding must take their cybersecurity obligations seriously,” said U.S. Attorney Carla B. Freedman for the Northern District of New York. “We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”

“These vendors failed to meet their data integrity obligations in a program on which so many eligible citizens depend for rental security, which jeopardized the effectiveness of a vital part of the government’s pandemic recovery effort,” said Acting Inspector General Richard K. Delmar of the Department of the Treasury. “Treasury OIG is grateful for DOJ’s support of its oversight work to accomplish this recovery.”

“This settlement sends a strong message to New York State contractors that there will be consequences if they fail to safeguard the personal information entrusted to them or meet the terms of their contracts,” said New York State Comptroller Thomas P. DiNapoli. “Rental assistance has been vital to our economic recovery, and the integrity of the program needs to be protected. I thank the United States Department of Justice, United States Attorney for the Northern District of New York Freedman and the United States Department of Treasury Office of the Inspector General for their partnership in exposing this breach and holding these vendors accountable.” 

On Oct. 6, 2021, the Deputy Attorney General announced the department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents. Information on how to report cyber fraud can be found here.

The United States’ investigation was prompted by a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds, and to receive a share of any recovery. The settlement agreements in this case provide for the whistleblower, Elevation 33 LLC, an entity owned by a former Guidehouse employee, to receive a $1,949,250 share of the settlement amounts. The case is captioned United States ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., Case No. 1:22-cv-206 (N.D.N.Y.)

Trial Attorney J. Jennifer Koh of the Civil Division's Commercial Litigation Branch, Fraud Section and Assistant U.S. Attorney Adam J. Katz for the Northern District of New York handled this matter, with assistance from the Department of the Treasury OIG and the Office of the New York State Comptroller.