Guidehouse Inc., headquartered in McLean, Virginia, has paid $7.6 million and Nan McKay and Associates (Nan McKay), headquartered in El Cajon, California, has paid $3.7 million to resolve allegations that they violated the False Claims Act by failing to meet cybersecurity requirements in contracts intended to ensure a secure environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic.
In early 2021, Congress established the Emergency Rental Assistance Program (ERAP) to provide financial assistance to eligible low-income households to cover rent, rental arrears, utilities, and other housing-related expenses during the COVID-19 pandemic. Participating governments were required to establish programs to distribute the federal funding to eligible tenants and landlords. In New York, the Office of Temporary and Disability Assistance (OTDA) was responsible for administering New York’s ERAP.
In May 2021, Guidehouse and OTDA entered into a contract under which Guidehouse assumed responsibility for the New York ERAP as the prime contractor. This included managing ERAP technology and services provided to New Yorkers. Nan McKay served as Guidehouse’s subcontractor and was responsible for delivering and maintaining the ERAP technology product used in New York for online applications requesting rental assistance.
Guidehouse and Nan McKay shared responsibility for ensuring that the ERAP Application underwent cybersecurity testing in its pre-production environment before it was launched publicly. As part of today's settlements, both companies admitted that they did not complete the required pre-production cybersecurity testing. The state’s ERAP went live on June 1, 2021; twelve hours later, OTDA shut down the website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet. Both companies acknowledged that had they conducted the contractually-required cybersecurity testing, they might have detected conditions leading to this breach.
Additionally, Guidehouse admitted that it used a third-party data cloud software program briefly in 2021 without obtaining OTDA’s permission first, violating its contract.
“Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” said Principal Deputy Assistant Attorney General Brian M. Boynton of the Justice Department's Civil Division. “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”
“Contractors who receive federal funding must take their cybersecurity obligations seriously,” said U.S. Attorney Carla B. Freedman for the Northern District of New York. “We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”
“These vendors failed to meet their data integrity obligations in a program on which so many eligible citizens depend for rental security," said Acting Inspector General Richard K. Delmar of the Department of Treasury's Office of Inspector General (OIG). "Treasury OIG is grateful for DOJ’s support of its oversight work."
“This settlement sends a strong message," said New York State Comptroller Thomas P. DiNapoli."Rental assistance has been vital to our economic recovery... I thank [our partners]...for exposing this breach."
On October 6th, 2021, Deputy Attorney General announced Civil Cyber-Fraud Initiative aims at holding accountable those putting sensitive information at risk by knowingly providing deficient products or misrepresenting practices or protocols.
The United States’ investigation was prompted by a lawsuit filed under whistleblower provisions permitting private parties suing on behalf government if false claims are submitted; Elevation 33 LLC received $1.95 million share from settlements.
Trial Attorney J.Jennifer Koh & Assistant U.S.Attorney Adam J.Katz handled matter with Treasury OIG & NYS Comptroller office assisting.
___