What You Need to Know
- Key takeaway #1
This is the third public FCA Civil Cyber Fraud settlement based on a state-level contract (after Jelly Bean Communications Design LLC, announced by DOJ in March 2023, and Insight Global LLC, announced by DOJ in May 2024) and the third settlement under DOJ's Civil Cyber-Fraud Initiative initiated by a qui tam complaint. See United States ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., Case No. 1:22-cv-206 (N.D.N.Y.).
- Key takeaway #2
Although a third party investigated and found that no PII was viewed or used by unauthorized parties, Guidehouse nevertheless agreed to pay $7.6 million and Nan McKay agreed to pay $3.7 million, for a total of $11.3 million, of which approximately ten percent ($1.125 million) was earmarked for restitution.
- Key takeaway #3
This settlement is a reminder that DOJ will continue to rely on whistleblowers and relators, and pursue aggressive recoveries under its Civil Cyber-Fraud Initiative.
- Key takeaway #4
- There are many sources of cybersecurity obligations (e.g., statutes, agency regulations, contractual agreements, etc.) that may apply to any government contractor, including contractors who are not providing traditional cybersecurity services. Companies should be mindful of their compliance with all contractual provisions relating to cybersecurity, which may include the traditional implementation of security controls, the completion of cybersecurity testing and scanning, and obtaining approval to use third-party cloud software to store data that is incidental to contract performance.
On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities: the DOJ's Civil Cyber-Fraud Initiative and pandemic-related fraud. This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State's Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).
New York State created ERAP to distribute COVID-19 relief funding to eligible tenants and landlords in New York. The State's Office of Temporary and Disability Assistance (OTDA) was responsible for administering the ERAP, and it designated Guidehouse as the prime contractor and Nan McKay as the subcontractor. The contract required Guidehouse to perform cybersecurity testing and scans prior to the launch of ERAP. Guidehouse included these requirements in its subcontract with Nan McKay, who in turn was responsible for delivering and maintaining the technology product used by New York residents, but Guidehouse also retained the right to perform its own application and webserver testing and scanning, as appropriate.
Nan McKay and Guidehouse conceded that neither completed the required pre‑production cybersecurity testing before New York's ERAP went live on June 1, 2021. Twelve hours after the ERAP was launched, a cybersecurity incident occurred, which resulted in commercial search engines accessing PII from ERAP for a limited group of individuals. According to Guidehouse and Nan McKay settlement agreements, the conditions that allowed for the incident to occur may have been detected—and thus prevented—if either Guidehouse or Nan McKay had conducted the contractually-required pre-go-live cybersecurity testing. Additionally, Guidehouse acknowledged in its settlement agreement that it used a third-party data cloud software program to administer a program adjacent to the ERAP and to store PII, in violation of the contract's standards and the requirement to seek and receive OTDA's approval of unauthorized software.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.