Two government consultants have paid more than $11 million to settle allegations that they failed to meet cybersecurity requirements in a program for New Yorkers who applied online for federal emergency rental assistance during the COVID-19 pandemic.
In early 2021, Congress established the emergency rental assistance program (ERAP) to provide financial assistance to eligible low-income households to cover the costs of rent, rental arrears, utilities and other housing-related expenses during the COVID-19 pandemic.
In May 2021, Guidehouse Inc., headquartered in McLean, Virginia, and Nan McKay and Associates, headquartered in El Cajon, California, were hired by New York State to create the state’s ERAP. Guidehouse, as the prime contractor, assumed responsibility for the ERAP technology and services while Nan McKay, serving as Guidehouse’s subcontractor, was responsible for delivering and maintaining the ERAP technology product used in New York to fill out and submit online applications requesting rental assistance.
According to Justice Department documents, Guidehouse and Nan McKay shared responsibility for ensuring that the ERAP application underwent cybersecurity testing in its pre-production environment before it was launched to the public. Twelve hours after the state’s ERAP went live on June 1, 2021, the state shut down the ERAP website upon learning that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet.
Guidehouse and Nan McKay have acknowledged that had either of them conducted the contractually-required cybersecurity testing, the conditions that resulted in the information security breach may have been detected and the incident prevented.
In addition, as part of its settlement, Guidehouse admitted that for a short time period in 2021, it used a third-party data cloud software program to store personally identifiable information without first obtaining the state’s permission, in violation of its contract.
The federal investigation was prompted by a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds, and to receive a share of any recovery.
Officials said Guidehouse has paid $7,600,000 and Nan McKay has paid $3,700,000 to resolve allegations that they violated the False Claims Act by failing to meet cybersecurity requirements.
The settlement agreements in this case provide for the whistleblower, Elevation 33 LLC, an entity owned by a former Guidehouse employee, to receive a $1,949,250 share of the settlement amounts.
“Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”
Topics Cyber Contractors
Was this article valuable?
Here are more articles you may enjoy.
Home Insurance at $10,000 a Year Shows California Buyers’ Pain 
State Farm Seeking Large Rate Increases in Wildfire-Prone California 
Big ‘I’ Report: Independent Agency Channel Placed 62% of Premiums in 2023 
As Rates Rise, Majority of Homeowners Say Insurance Industry Is in Crisis: Survey 
