In 2021, the DOJ announced its Civil-Cyber-Fraud Initiative, which focused on contractors who fail to follow required cybersecurity standards. The initiative is aimed at accountability for knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
On June 17, 2024, the Department of Justice announced that two consulting companies agreed to pay $11.3 million to resolve alleged False Claims Act (FCA) violations stemming from contracts intended to provide a secure online environment for applications by low-income New York residents for federal rental assistance during the COVID-19 pandemic. In settling this matter, the companies did not admit liability but did accept responsibility for their conduct.
The Emergency Rental Assistance Program (ERAP) was established by Congress in 2021 and designed to provide financial assistance to qualifying low-income households. Financial assistance was intended to cover rent, rental arrears, utilities, and other housing-related expenses. New York’s Office of Temporary and Disability Assistance (OTDA) was responsible for facilitating the disbursement of EARP funding to eligible tenants and landlords in the state. ODTA entered into a contract with Guidehouse, Inc., a consulting firm, to effectively operate the program, including the delivery and maintenance of associated ERAP technology. Guidehouse subcontracted the delivery and maintenance of the ERAP technology product used by applicants to request financial assistance to Nan McKay & Associates (Nan McKay).
Under Guidehouse’s contract with OTDA, the company was required to perform cybersecurity testing of the ERAP online application process in a pre-production environment before publicly launching it. Guidehouse included this requirement in its subcontract with Nan McKay while also retaining the right to perform its own cybersecurity testing of the application, as appropriate. However, neither of the two companies performed the required pre-production cybersecurity testing before the application system went live. Within 12 hours, OTDA had to shut the system down after determining that applicants’ personally identifiable information had been compromised and made available on the Internet. Both companies admitted that if either of them had performed the contractually mandated cybersecurity testing, the situation may have been avoided. In addition to failing to perform the requisite cybersecurity testing, Guidehouse admitted to storing personally identifiable information on a third-party data cloud software program without first obtaining OTDA’s permission. This, too, was a contractual violation.
This case serves as a reminder that all contractors should take their cybersecurity obligations seriously, or they may be subject to actions under the FCA.
