DOJ just notched its fifth settlement since announcing its Civil Cyber-Fraud Initiative nearly three years ago. As our readers know, the initiative is focused on entities or individuals that knowingly provide deficient cybersecurity services, knowingly misrepresent their cybersecurity protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches. While most of the prior settlements related to the alleged failure to safeguard personal health information, this case involves a failure to protect personally identifiable information (PII). This resolution also touches on pandemic-related fraud, which is another enforcement priority for DOJ.
Here, Northern Virginia-based consulting firm Guidehouse entered into a contract with the New York state agency responsible for administering the federally funded emergency rental assistance program (ERAP) in New York during the COVID-19 pandemic. The ERAP program was established by Congress to provide financial assistance to eligible low-income households to cover the costs of rent, rental arrears, utilities, and other housing-related expenses. While Guidehouse had ultimate responsibility for the ERAP program in New York, it subcontracted with New York-based Nan McKay Associates for Nan McKay to deliver and maintain the technology used by New York residents to fill out and submit forms requesting financial support under the program (ERAP Application).
Guidehouse's ERAP contract required Guidehouse to perform certain cybersecurity testing of the ERAP Application prior to launch. Guidehouse included this requirement in the subcontract with Nan McKay, but retained the right to perform its own application and webserver testing and scanning, as appropriate. Ultimately, neither company successfully performed the requisite cybersecurity testing before the ERAP Application went live. Approximately 12 hours later, certain data from the ERAP appeared on the internet. Although the companies later retained a third party that determined that no PII was "viewed or used by unauthorized parties," Guidehouse and Nan McKay admitted that PII had been "accessed by commercial search engines for a limited group of individuals." In their settlement agreements, both Guidehouse and Nan McKay admitted that, had they conducted the pre-go-live cybersecurity testing, the incident may have been prevented. Guidehouse also admitted that it briefly stored PII using a third-party data cloud software program without first obtaining permission from the New York state agency as required by the contract. While neither company admitted liability, they did admit, acknowledge, and accept responsibility for the covered conduct in the settlement agreements.
The settlements were negotiated while the case was under seal. Guidehouse agreed to pay $7.6 million, of which $1.3 million will go to the Relator, a private LLC. Nan McKay agreed to pay $3.7 million, of which $638,000 will go to the Relator. At $11.3 million in total, this is DOJ's largest recovery under the Civil-Cyber Fraud Initiative and brings the total dollars received to just over $19 million.
As always, check back often for the latest updates on the initiative and all things FCA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.