In a significant legal development, two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay a combined total of $11.3 million to resolve allegations of failing to meet cybersecurity requirements in a federally funded contract. The contract, part of the emergency rental assistance program (ERAP) established by Congress in early 2021, aimed to provide financial relief to low-income households affected by the COVID-19 pandemic. This case highlights the critical importance of cybersecurity in government contracts and the severe consequences of non-compliance.
Background of ERAP
The emergency rental assistance program (ERAP) was instituted to help low-income households cover rent, rental arrears, utilities, and other housing-related expenses during the pandemic. Governments were mandated to create programs to distribute federal funding to eligible tenants and landlords efficiently and securely. In New York, the responsibility for overseeing the state’s ERAP fell to the Office of Temporary and Disability Assistance (OTDA).
Roles of Guidehouse Inc. and Nan McKay and Associates
In May 2021, Guidehouse Inc., headquartered in McLean, Virginia, entered into a contract with OTDA to oversee New York’s ERAP. As the prime contractor, Guidehouse Inc. assumed responsibility for the program, including the technology and services provided to New Yorkers. Nan McKay and Associates, headquartered in El Cajon, California, acted as a subcontractor responsible for deploying and managing the ERAP technology platform utilized for online applications.
Both companies were charged with ensuring that the ERAP application underwent necessary cybersecurity testing in its pre-production environment before its public launch. This testing was critical to safeguarding applicants’ personally identifiable information (PII) from potential breaches.
Cybersecurity Breach
Despite their obligations, Guidehouse Inc. and Nan McKay and Associates failed to complete the required pre-production cybersecurity testing. As a result, when New York’s ERAP website went live on June 1, 2021, it had to be shut down just 12 hours later. The shutdown was prompted by the discovery that certain applicants’ PII had been compromised and was available on the internet. This breach exposed sensitive information, highlighting the severe repercussions of neglecting cybersecurity protocols.
Admission of Violations
In the settlements announced, Guidehouse Inc. and Nan McKay and Associates acknowledged their shortcomings. They acknowledged that proper cybersecurity testing could have detected and possibly prevented the conditions leading to the breach. Additionally, Guidehouse Inc. admitted to using a third-party data cloud software program to store PII without obtaining prior permission from OTDA, further violating their contractual obligations.
Financial and Legal Consequences
Guidehouse Inc. has agreed to pay $7.6 million, while Nan McKay and Associates will pay $3.7 million to settle the allegations. These settlements reflect the seriousness of the violations and the government’s commitment to enforcing cybersecurity standards in federally funded contracts.
Statements from Officials
Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, emphasized the importance of complying with cybersecurity obligations tied to federal funding. U.S. Attorney Carla B. Freedman for the Northern District of New York reiterated her commitment to holding contractors accountable for failing to protect sensitive information.
Acting Inspector General Richard K. Delmar from the Department of the Treasury emphasized how the vendors’ shortcomings compromised the effectiveness of a crucial pandemic recovery program. New York State Comptroller Thomas P. DiNapoli stressed the importance of safeguarding personal information and maintaining the integrity of essential programs like ERAP.
Whistleblower Involvement
The investigation began with a lawsuit filed under the whistleblower provisions of the False Claims Act by Elevation 33 LLC, an entity owned by a former Guidehouse employee. The whistleblower will receive $1,949,250 from the settlement, highlighting the crucial role of whistleblowers in uncovering and addressing fraud.
This case serves as a reminder of the essential role of cybersecurity in managing sensitive information, especially in programs designed to aid vulnerable populations. The substantial fines imposed on Guidehouse Inc. and Nan McKay and Associates demonstrate the government’s dedication to enforcing cybersecurity standards and the severe consequences of non-compliance. As the reliance on digital solutions in federal programs increases, ensuring robust cybersecurity measures will remain paramount to protecting sensitive data and maintaining public trust.
