Consulting Companies to Pay $11.3M for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract
Author: Destiny Aigbe
June 17, 2024
The Office of Public Affairs has announced that Guidehouse Inc. and Nan McKay and Associates (Nan McKay) have agreed to pay a combined total of $11.3 million to resolve allegations of violating the False Claims Act. The violations stemmed from their failure to meet cybersecurity requirements in a contract aimed at securing a safe environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic.
Background
In early 2021, Congress established the Emergency Rental Assistance Program (ERAP) to help eligible low-income households with rent, utilities, and other housing-related expenses during the COVID-19 pandemic. New York’s Office of Temporary and Disability Assistance (OTDA) was responsible for administering the ERAP in the state. Guidehouse Inc., headquartered in McLean, Virginia, was the prime contractor responsible for the ERAP technology and services in New York. Nan McKay, based in El Cajon, California, served as Guidehouse’s subcontractor and was tasked with delivering and maintaining the ERAP technology product for online applications.
Cybersecurity Failures and Data Breach
Guidehouse and Nan McKay were jointly responsible for ensuring that the ERAP Application underwent necessary cybersecurity testing before its public launch. However, both companies admitted to failing to complete the required pre-production cybersecurity testing. As a result, the ERAP website went live on June 1, 2021, but was shut down 12 hours later when it was discovered that applicants’ personally identifiable information (PII) had been compromised and was accessible on the internet. The companies acknowledged that proper cybersecurity testing could have detected and prevented the breach.
Additionally, Guidehouse admitted to using a third-party data cloud software program to store PII without obtaining OTDA’s permission, violating their contractual obligations.
Financial Penalties and Settlements
- Guidehouse Inc. paid $7,600,000 to resolve the allegations.
- Nan McKay and Associates paid $3,700,000 to resolve the allegations.
The settlements also provided for a whistleblower, Elevation 33 LLC, an entity owned by a former Guidehouse employee, to receive $1,949,250 of the settlement amounts for their role in uncovering the violations.
Statements from Officials
Principal Deputy Assistant Attorney General Brian M. Boynton emphasized the importance of complying with cybersecurity obligations tied to federal funding, stating, “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”
U.S. Attorney Carla B. Freedman for the Northern District of New York added, “Contractors who receive federal funding must take their cybersecurity obligations seriously. We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”
Acting Inspector General Richard K. Delmar of the Department of the Treasury remarked on the critical nature of data integrity, especially in programs vital to government pandemic recovery efforts.
New York State Comptroller Thomas P. DiNapoli highlighted the importance of safeguarding personal information and maintaining the integrity of rental assistance programs.
Civil Cyber-Fraud Initiative
This case aligns with the Department of Justice’s Civil Cyber-Fraud Initiative, announced on October 6, 2021, which seeks to hold entities accountable for cybersecurity deficiencies that jeopardize sensitive information. The initiative focuses on ensuring that contractors and grantees uphold their cybersecurity commitments.
Conclusion
This settlement sends a clear message to contractors about the serious consequences of failing to meet cybersecurity requirements. It underscores the importance of maintaining rigorous cybersecurity practices, particularly when handling sensitive personal information in federally funded programs.
For more information on this case and to learn about how to report cyber fraud, visit the Department of Justice website.
Stay tuned to our blog for more updates on legal news and insights into cybersecurity and compliance.
About the Author
Destiny Aigbe
Managing Partner
Aigbe Law PLLC | Dark Alpha Capital
A Corporate and Securities Law Firm
With a robust foundation in law and finance, Destiny Aigbe has carved a distinguished career, underpinned by his pivotal role in orchestrating and managing complex transactions that have propelled companies to significant growth and market prominence. As a seasoned attorney and strategic advisor, Destiny has been instrumental in facilitating over $75 million in capital raises, demonstrating a keen acumen for securing funding and fostering investor confidence.
Destiny's leadership in the execution of six successful public listings, through meticulously structured reverse mergers and registration statements, showcases his adeptness in navigating the intricacies of the public markets and his capacity to guide companies through transformative growth phases. His involvement in five mergers as an operator further illustrates his versatile skill set, extending beyond legal expertise to include hands-on management and operational strategy, though these ventures did not involve funding.
Destiny's professional journey is marked by a commitment to excellence and a diverse range of experiences, from representing a wide spectrum of clients including public and private companies, and investment firms, to holding significant roles within the US government. His tenure with the US Department of State and the National Institutes of Health highlights his adaptability and his contribution to the advancement of entrepreneurial ventures in sectors like biotechnology and nanotechnology through strategic funding initiatives.
An alumnus of Vanderbilt University Law School, Destiny focused on Finance and Mergers & Acquisitions, further honing his expertise with a certificate in Law and Business. His foundational education in Finance was obtained with honors from the University of Maryland's Robert H. Smith School of Business, which laid the groundwork for his subsequent achievements in investment banking and legal practice.
Residing in the Washington, D.C. area, Destiny Aigbe continues to leverage his extensive experience and insightful leadership to drive innovation, growth, and success for his clients and the ventures he is involved with.
© Aigbe Law, PLLC