Another One: It Pays to Consult the DOJ under the Civil Cyber Fraud Initiative

What You Need to Know

Key takeaway #1
This is the third public FCA Civil Cyber Fraud settlement based on a state-level contract (after Jelly Bean Communications Design LLC, announced by DOJ in March 2023, and Insight Global LLC, announced by DOJ in May 2024) and the third settlement under DOJ’s Civil Cyber-Fraud Initiative initiated by a qui tam complaint. See United States ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., Case No. 1:22-cv-206 (N.D.N.Y.).
Key takeaway #2
Although a third party investigated and found that no PII was viewed or used by unauthorized parties, Guidehouse nevertheless agreed to pay $7.6 million and Nan McKay agreed to pay $3.7 million, for a total of $11.3 million, of which approximately ten percent ($1.125 million) was earmarked for restitution.
Key takeaway #3
This settlement is a reminder that DOJ will continue to rely on whistleblowers and relators, and pursue aggressive recoveries under its Civil Cyber-Fraud Initiative.
Key takeaway #4
There are many sources of cybersecurity obligations (e.g., statutes, agency regulations, contractual agreements, etc.) that may apply to any government contractor, including contractors who are not providing traditional cybersecurity services. Companies should be mindful of their compliance with all contractual provisions relating to cybersecurity, which may include the traditional implementation of security controls, the completion of cybersecurity testing and scanning, and obtaining approval to use third-party cloud software to store data that is incidental to contract performance.

Client Alert | 2 min read | 06.26.24

On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities: the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud. This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).

New York State created ERAP to distribute COVID-19 relief funding to eligible tenants and landlords in New York. The State’s Office of Temporary and Disability Assistance (OTDA) was responsible for administering the ERAP, and it designated Guidehouse as the prime contractor and Nan McKay as the subcontractor. The contract required Guidehouse to perform cybersecurity testing and scans prior to the launch of ERAP. Guidehouse included these requirements in its subcontract with Nan McKay, who in turn was responsible for delivering and maintaining the technology product used by New York residents, but Guidehouse also retained the right to perform its own application and webserver testing and scanning, as appropriate.

Nan McKay and Guidehouse conceded that neither completed the required pre‑production cybersecurity testing before New York’s ERAP went live on June 1, 2021. Twelve hours after the ERAP was launched, a cybersecurity incident occurred, which resulted in commercial search engines accessing PII from ERAP for a limited group of individuals. According to Guidehouse and Nan McKay settlement agreements, the conditions that allowed for the incident to occur may have been detected—and thus prevented—if either Guidehouse or Nan McKay had conducted the contractually-required pre-go-live cybersecurity testing. Additionally, Guidehouse acknowledged in its settlement agreement that it used a third-party data cloud software program to administer a program adjacent to the ERAP and to store PII, in violation of the contract’s standards and the requirement to seek and receive OTDA’s approval of unauthorized software.

Contacts

Nkechi Kanu
Partner
- Washington, D.C.
  - D | +1 202.624.2872
bmthbnVAY3Jvd2VsbC5jb20=
Brian Tully McLaughlin
Partner
- Washington, D.C.
  - D | +1.202.624.2628
Ym1jbGF1Z2hsaW5AY3Jvd2VsbC5jb20=
Jennie Wang VonCannon
Partner
She/Her/Hers
- Los Angeles
  - D | +1.213.310.7984
anZvbmNhbm5vbkBjcm93ZWxsLmNvbQ==
Jessica R. Chao
Counsel
She/Her/Hers
- Denver
  - D | +1.303.524.8637
amNoYW9AY3Jvd2VsbC5jb20=

Insights

Client Alert | 4 min read | 03.25.26

NAIC Intensifies AI Regulatory Focus: What Health Insurance Payors Need to Know

The National Association of Insurance Commissioners (NAIC) is intensifying its oversight of how insurers use AI — and the pace of regulatory activity shows no signs of slowing. Over the past several months, the NAIC has published a formal Issue Brief staking out its position on federal AI legislation, launched a multistate AI Evaluation Tool pilot aimed at examining insurers’ AI governance programs, and continued to expand adoption of its AI Model Bulletin across state lines. These developments continue a trend towards enhancing regulation; the NAIC adopted AI Principles in 2020 and a Model Bulletin in 2023 clarifying that existing insurance laws apply to AI systems and establishing expectations for governance, documentation, testing, and third-party oversight. That Model Bulletin has now been adopted in approximately 24 states....

Client Alert | 11 min read | 03.25.26
White House National AI Policy Framework Calls for Preempting State Laws, Protecting Children
Client Alert | 3 min read | 03.24.26
California Considering A Massive Expansion of Its Antitrust Laws
Client Alert | 2 min read | 03.23.26
ACTS Survey Compliance Deadline Temporarily Extended: What Higher Education Institutions Need to Know

View All Insights