The Department of Justice (DoJ) announced on June 17 that two consulting firms have paid a total of $11.3 million to setting allegations that they violated the False Claims Act by failing to meet cybersecurity requirements in Federally funded contracts.
The payments to settle the allegations – $7.6 million from McLean, Va.-based Guidehouse Inc., and $3.7 million from El Cajon, Calif.-based Nan McKay and Associates – stem from contracts they entered into in 2021 to ensure a secure environment for low-income New Yorkers to apply online for Federal rental assistance during the COVID-19 pandemic.
“Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” said Principal Deputy Assistant Attorney General Brian M. Boynton, who heads the Justice Department’s Civil Division. “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”
The contracts stemmed from action by Congress in 2021 to establish the Emergency Rental Assistance Program (ERAP).
In May 2021, Guidehouse signed a contract with the New York Office of Temporary and Disability Assistance (OTDA) as a prime contractor and “assumed responsibility for the New York ERAP, including for the ERAP technology and services provided to New Yorkers,” DoJ said. Nan McKay signed on as a subcontractor and “was responsible for delivering and maintaining the ERAP technology product used in New York to fill out and submit online applications requesting rental assistance (ERAP Application),” the agency said.
“The state’s ERAP went live on June 1, 2021. Twelve hours later, OTDA shut down the ERAP website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet,” DoJ recounted.
According to DoJ, both firms shared responsibility for “ensuring that the ERAP Application underwent cybersecurity testing in its pre-production environment before it was launched to the public.”
But as part of the settlements announced on June 17, “Guidehouse and Nan McKay admitted that neither satisfied their obligation to complete the required pre-production cybersecurity testing,” DoJ said.
Both firms, DoJ said, “acknowledged that had either of them conducted the contractually-required cybersecurity testing, the conditions that resulted in the information security breach may have been detected and the incident prevented.”
“Contractors who receive federal funding must take their cybersecurity obligations seriously,” said U.S. Attorney Carla B. Freedman for the Northern District of New York. “We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”