Companies pay $11.3M to resolve allegations involving cybersecurity requirements – Saratogian
ALBANY, N.Y. — Guidehouse Inc., headquartered in McLean, Virginia, recently paid $7.6 million and Nan McKay and Associates (Nan McKay), headquartered in El Cajon, California, paid $3.7 million to resolve allegations they violated the False Claims Act by failing to meet cybersecurity requirements in contracts intended to ensure a secure environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic.
United States Attorney Carla B. Freedman; Principal Deputy Assistant Attorney General Brian M. Boynton of the Department of Justice’s Civil Division; Acting Inspector General Richard K. Delmar of the Department of the Treasury’s Office of Inspector General (Treasury OIG); and New York State Comptroller Thomas P. DiNapoli announced a press release.
In early 2021, Congress established the Emergency Rental Assistance Program (ERAP) to provide financial assistance to eligible low-income households to cover the costs of rent, rental arrears, utilities and other housing-related expenses during the COVID-19 pandemic, officials said. Participating governments were required to establish programs to distribute the federal funding to eligible tenants and landlords.
In New York, the Office of Temporary and Disability Assistance (OTDA) was the state agency responsible for administering New York’s ERAP, the release said. In May 2021, Guidehouse and OTDA entered a contract under which Guidehouse, as the prime contractor, assumed responsibility for the New York ERAP, including for the ERAP technology and services provided to New Yorkers.
Nan McKay, in turn, served as Guidehouse’s subcontractor and was responsible for delivering and maintaining the ERAP technology product used in New York to fill out and submit online applications requesting rental assistance (ERAP Application).
Guidehouse and Nan McKay shared responsibility for ensuring that the ERAP Application underwent cybersecurity testing in its pre-production environment before it was launched to the public, according to the release. As part of the settlements announced Monday, Guidehouse and Nan McKay admitted that neither satisfied their obligation to complete the required pre-production cybersecurity testing.
The State’s ERAP went live on June 1, 2021. 12 hours later, OTDA shut down the ERAP website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet, the release said.
Guidehouse and Nan McKay acknowledged that had either of them conducted the contractually required cybersecurity testing, the conditions that resulted in the Information Security Breach may have been detected and the incident prevented, the release said.
In addition, as part of its settlement, the release said Guidehouse admitted that for a short period in 2021, it used a third-party data cloud software program to store personally identifiable information without first obtaining OTDA’s permission, in violation of its contract.
“Contractors who receive federal funding must take their cybersecurity obligations seriously,” Freedman said in the release. “We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”
“Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” Boynton added in the release. “The Department of Justice will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”
“These vendors failed to meet their data integrity obligations in a program on which so many eligible citizens depend for rental security, which jeopardized the effectiveness of a vital part of the government’s pandemic recovery effort,” Delmar noted in the release. “Treasury OIG is grateful for DOJ’s support of its oversight work to accomplish this recovery.”
“This settlement sends a strong message to New York State contractors that there will be consequences if they fail to safeguard the personal information entrusted to them or meet the terms of their contracts,” New York State Comptroller Thomas P. DiNapoli said in the release. “Rental assistance has been vital to our economic recovery and the integrity of the program needs to be protected.
“I thank the United States Department of Justice, United States Attorney Freedman and the United States Department of the Treasury Office of Inspector General for their partnership in exposing this breach and holding these vendors accountable,” he continued.
On October 6, 2021, the Deputy Attorney General announced the Department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents, officials said. Information on how to report cyber fraud can be found at justice.gov/civil/report-fraud.
The United States’ investigation was prompted by a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds and to receive a share of any recovery, the release said.
The settlement agreements in this case provide for the whistleblower, Elevation 33, LLC, an entity owned by a former Guidehouse employee, to receive a $1,949,250 share of the settlement amounts. The case is captioned United States ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., Case No. 1:22-cv-206 (N.D.N.Y.).
The investigation was a result of a coordinated effort between the United States Attorney’s Office for the Northern District of New York; the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section; Treasury OIG; and the Office of the New York State Comptroller, the release said. The United States was represented by Assistant United States Attorney Adam J. Katz and Trial Attorney J. Jennifer Koh.