Consulting Firms to Pay $11.3M for Cybersecurity Lapses in Federal Contract

Guidehouse Inc. and its subcontractor Nan McKay and Associates have agreed to pay $11.3 million to resolve allegations that they violated the False Claims Act by failing to meet cybersecurity testing requirements for a system used to process pandemic rental assistance applications in New York.

According to the Department of Justice, the two consulting firms were contracted in 2021 by New York's Office of Temporary and Disability Assistance (OTDA) to provide an online application portal for the state's emergency rental assistance program funded by Congress' COVID-19 relief package.

As part of the contract intended to create a secure environment for low-income New Yorkers to apply for federal rental aid, Guidehouse and Nan McKay were required to conduct comprehensive cybersecurity testing of the application system in a pre-production environment before launching it to the public.

However, the DOJ alleges that neither company satisfied their obligation to complete the mandated cybersecurity assessments. Just 12 hours after the system went live on June 1, 2021, OTDA was forced to take it offline when it was discovered that applicants' personally identifiable information had been compromised and exposed on the internet.

In their settlement agreements, Guidehouse and Nan McKay acknowledged that had they performed the contractually required cybersecurity testing, the conditions leading to the data breach may have been detected and prevented.

Guidehouse, the prime contractor based in Virginia, has agreed to pay $7.6 million, while California-based Nan McKay will pay $3.7 million to resolve the claims. The DOJ alleges Guidehouse also improperly used an unapproved third-party cloud software to store applicant data for a period.

"Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments," said Brian M. Boynton, head of the DOJ's Civil Division. "We will continue to pursue knowing violations of material cybersecurity requirements."

The settlements stem from a whistleblower lawsuit filed under the False Claims Act by a company owned by a former Guidehouse employee. The whistleblower entity will receive nearly $2 million from the recovery.

This enforcement action is part of the DOJ's Civil Cyber-Fraud Initiative, aimed at cracking down on entities that compromise data integrity through lax cybersecurity practices on government contracts and programs.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.