Consulting firms pay $11.3m for noncompliance with cybersecurity requirements in US-funded contract

DOJ sends clear signal over security standards that go with federal funding.

The Department of Justice (DOJ) recently announced the latest settlement under its Civil Cyber-Fraud Initiative (CCFI) which resulted in a total of $11,300,000 in payments from two consulting companies: Guidehouse, Inc., the prime contractor, which paid $7,600,000; and Nan Kay and Associates, the subcontractor, which paid $3,700,000.

Both businesses settled allegations that they violated the False Claims Act by failing to meet cybersecurity requirements in federally-funded contracts.

Guidehouse entered into a contract in 2021 with the New York Office of Temporary Disability Assistance (OTDA) to assume responsibility over the emergency rental assistance program (ERAP) in New York. This included managing the application platform for distribution of federal funding to eligible low-income households to cover certain costs during the COVID-19 pandemic.

Under the respective contracts, both Guidehouse and its subcontractor, Nan Kay and Associates, were responsible for ensuring the application platform underwent cybersecurity testing before it was provided to the public.

Personal information compromised

Neither company satisfied that obligation, though, and 12 hours after the website went live, OTDA shut it down because certain applicants’ personally identifiable information (PII) was compromised and generally available on the internet, DOJ said. In addition, for a short time in 2021, Guidehouse admitted it used a third-party data cloud software program to store PII, without first obtaining permission from OTDA, in violation of its contract.

Guidehouse and Nan McKay acknowledged that had either of them conducted the contractually-required cybersecurity testing the conditions that resulted in the information security breach may have been detected and the incident prevented.

This settlement is notable because it underscores how actively the DOJ is harnessing the CCFI as a tool and highlights the DOJ’s message that federal funding comes with cybersecurity obligations. It is also significant that the contractual obligations stemmed from a state government contract, rather than a federal contract, but the misconduct still falls under DOJ’s purview because the contract was funded with federal money.

“This settlement sends a strong message to New York State contractors that there will be consequences if they fail to safeguard the personal information entrusted to them or meet the terms of their contracts.”

Thomas DiNapoli, New York State Comptroller

It’s also significant that the settlement involved not only Guidehouse, the prime contractor, but also its subcontractor. This is because the False Claims Act is not limited to the contractor with the direct contractual relationship with the government but also covers any subcontractors that cause the prime contractor to make a false claim for payment.

Along with new cybersecurity-focused rules rules from the Cybersecurity and Infrastructure Security Agency, the top financial watchdog for New York, and the SEC, among other agencies, additional pressures continue to mount for companies in terms of devoting substantial resources to cybersecurity compliance. 

Contractors, federal funds, and cybersecurity

This investigation was prompted by a lawsuit filed under the False Claims Act’s whistleblower provisions, which permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds, and to receive a share of any recovery. The settlement agreements in this case provide for the whistleblower, Elevation 33 LLC, an entity owned by a former Guidehouse employee, to receive a $1,949,250 share of the settlement amounts.

The number of CCFI settlements and complaints demonstrates that enforcing cybersecurity obligations remains a top priority for DOJ, and doing so through mechanisms like the CCFI is one method of doing so, particularly to help protect PII in programs that everyday citizens depend upon for vital services.

The CCFI aims to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents.

Since the inception of the CCFI in October 2021, the DOJ has announced six cyber-fraud related settlements, totaling approximately $28.2m in a range of industries from health-related services, aerospace and defense, data hosting, higher education, technology consulting, and more.

Officials underscore significance

Officials from New York and US government offices highlighted the Initiative’s importance in the DOJ’s press release.

“This settlement sends a strong message to New York State contractors that there will be consequences if they fail to safeguard the personal information entrusted to them or meet the terms of their contracts,” said New York State Comptroller Thomas DiNapoli. “Rental assistance has been vital to our economic recovery, and the integrity of the program needs to be protected.”

“Contractors who receive federal funding must take their cybersecurity obligations seriously,” said US Attorney Carla Freedman for the Northern District of New York. “We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”

“These vendors failed to meet their data integrity obligations in a program on which so many eligible citizens depend for rental security, which jeopardized the effectiveness of a vital part of the government’s pandemic recovery effort,” said Acting Inspector General Richard Delmar of the Department of the Treasury.