Contractors Agree to Pay $11.3 Million to Resolve Alleged Violations of Cybersecurity Requirements in Federally Funded Contract

Kelley Drye Client Advisory

The Department of Justice (DOJ) recently announced a significant settlement of a False Claims Act (FCA) case under its Civil Cyber-Fraud Initiative. Guidehouse Inc., a management, business and information technology consulting company, agreed to pay $7.6 million and Nan McKay and Associates (NMA), a consulting firm providing services to municipal and state governmental agencies engaged in various housing related programs, agreed to pay $3.7 million to resolve allegations that they violated the cybersecurity requirements in a federally-funded contract.

The New York State contract, issued under a U.S. Treasury run grant program, involved the development and maintenance of a technological application for low-income residents to apply for financial assistance to cover the costs of rent, rental arrears, utilities and other housing-related expenses during the pandemic. The funds for the program came from emergency rental assistance programs (ERAP) established by Congress in 2021 as part of its COVID relief funding.

The State designated the Office of Temporary and Disability Assistance (OTDA) to administer the program. ODTA contracted with Guidehouse to provide the technology and services to run the ERAP program. NMA served as the subcontractor responsible for delivering and maintaining the technology product (ERAP Application) used by applicants to fill out forms and submit their applications.

The ERAP prime contract required that Guidehouse perform certain cybersecurity testing and scanning before launching the ERAP Application to the public, and those pre-production obligations were flowed down to NMA. However, neither NMA nor Guidehouse completed the required testing before launch. Almost immediately after going live, it became clear that certain applicants’ personally identifiable information (PII) was being accessed by commercial search engines, and OTDA shut down the ERAP website just 12 hours after launch.

The relator (or whistleblower) in this case is an entity owned by a former Guidehouse employee, who will receive nearly $2 million of the settlement funds. Under its Civil Cyber-Fraud Initiative, DOJ has utilized the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.

This case further demonstrates that DOJ will pursue companies that fail to meet cybersecurity requirements in their contracts. This is an emerging area of FCA litigation where qui tam relators are incentivized to file suit based on such failures where federally funded contracts or state issued contracts under federal grant programs are involved.

The case is United States ex rel. Elevation 33, LLC v. Guidehouse Inc., and Nan McKay and Associates, Inc., Case No. 1:22-cv-206 (N.D.N.Y.).