Another One: It Pays to Consult the DOJ under the Civil Cyber Fraud Initiative

What You Need to Know

Key takeaway #1
This is the third public FCA Civil Cyber Fraud settlement based on a state-level contract (after Jelly Bean Communications Design LLC, announced by DOJ in March 2023, and Insight Global LLC, announced by DOJ in May 2024) and the third settlement under DOJ’s Civil Cyber-Fraud Initiative initiated by a qui tam complaint. See United States ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., Case No. 1:22-cv-206 (N.D.N.Y.).
Key takeaway #2
Although a third party investigated and found that no PII was viewed or used by unauthorized parties, Guidehouse nevertheless agreed to pay $7.6 million and Nan McKay agreed to pay $3.7 million, for a total of $11.3 million, of which approximately ten percent ($1.125 million) was earmarked for restitution.
Key takeaway #3
This settlement is a reminder that DOJ will continue to rely on whistleblowers and relators, and pursue aggressive recoveries under its Civil Cyber-Fraud Initiative.
Key takeaway #4
There are many sources of cybersecurity obligations (e.g., statutes, agency regulations, contractual agreements, etc.) that may apply to any government contractor, including contractors who are not providing traditional cybersecurity services. Companies should be mindful of their compliance with all contractual provisions relating to cybersecurity, which may include the traditional implementation of security controls, the completion of cybersecurity testing and scanning, and obtaining approval to use third-party cloud software to store data that is incidental to contract performance.

Client Alert | 2 min read | 06.26.24

On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities: the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud. This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).

New York State created ERAP to distribute COVID-19 relief funding to eligible tenants and landlords in New York. The State’s Office of Temporary and Disability Assistance (OTDA) was responsible for administering the ERAP, and it designated Guidehouse as the prime contractor and Nan McKay as the subcontractor. The contract required Guidehouse to perform cybersecurity testing and scans prior to the launch of ERAP. Guidehouse included these requirements in its subcontract with Nan McKay, who in turn was responsible for delivering and maintaining the technology product used by New York residents, but Guidehouse also retained the right to perform its own application and webserver testing and scanning, as appropriate.

Nan McKay and Guidehouse conceded that neither completed the required pre‑production cybersecurity testing before New York’s ERAP went live on June 1, 2021. Twelve hours after the ERAP was launched, a cybersecurity incident occurred, which resulted in commercial search engines accessing PII from ERAP for a limited group of individuals. According to Guidehouse and Nan McKay settlement agreements, the conditions that allowed for the incident to occur may have been detected—and thus prevented—if either Guidehouse or Nan McKay had conducted the contractually-required pre-go-live cybersecurity testing. Additionally, Guidehouse acknowledged in its settlement agreement that it used a third-party data cloud software program to administer a program adjacent to the ERAP and to store PII, in violation of the contract’s standards and the requirement to seek and receive OTDA’s approval of unauthorized software.

Contacts

Nkechi Kanu
Counsel
- Washington, D.C.
  - D | +1 202.624.2872
bmthbnVAY3Jvd2VsbC5jb20=
Brian Tully McLaughlin
Partner
- Washington, D.C.
  - D | +1.202.624.2628
Ym1jbGF1Z2hsaW5AY3Jvd2VsbC5jb20=
Jennie Wang VonCannon
Partner
She/Her/Hers
- Los Angeles
  - D | +1.213.310.7984
anZvbmNhbm5vbkBjcm93ZWxsLmNvbQ==
Evan D. Wolff
Partner
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2615
ZXdvbGZmQGNyb3dlbGwuY29t
Jessica R. Chao
Associate
She/Her/Hers
- Denver
  - D | +1.303.524.8637
amNoYW9AY3Jvd2VsbC5jb20=

Insights

Client Alert | 3 min read | 12.13.24

New FTC Telemarketing Sales Rule Amendments

The Federal Trade Commission (“FTC”) recently announced that it approved final amendments to its Telemarketing Sales Rule (“TSR”), broadening the rule’s coverage to inbound calls for technical support (“Tech Support”) services. For example, if a Tech Support company presents a pop-up alert (such as one that claims consumers’ computers or other devices are infected with malware or other problems) or uses a direct mail solicitation to induce consumers to call about Tech Support services, that conduct would violate the amended TSR. ...

Client Alert | 3 min read | 12.10.24
Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars
Client Alert | 6 min read | 12.09.24
Eleven States Sue Asset Managers Alleging ESG Conspiracy to Restrict Coal Production
Client Alert | 3 min read | 12.09.24
New York Department of Labor Issues Guidance Regarding Paid Prenatal Leave, Taking Effect January 1

View All Insights