In recent news, two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay a significant sum of $11.3 million to settle allegations of failing to meet cybersecurity requirements. The resolution comes after accusations of violations of the False Claims Act related to contracts aimed at providing a secure platform for low-income New Yorkers to apply for federal rental assistance online during the challenging times of the COVID-19 pandemic.

Guidehouse Inc., with its headquarters in McLean, Virginia, has agreed to pay the larger portion of the settlement amount, totaling $7.6 million. On the other hand, Nan McKay and Associates, based in El Cajon, California, will contribute $3.7 million towards resolving the allegations.

The core issue that led to these penalties revolves around cybersecurity failures and a critical data breach. The story begins with the establishment of the Emergency Rental Assistance Program (ERAP) by Congress in early 2021. The program aimed to provide aid to eligible low-income households struggling with rental payments and housing-related expenses during the ongoing COVID-19 crisis. The New York Office of Temporary and Disability Assistance (OTDA) was responsible for administering the ERAP in the state.

Guidehouse, as the prime contractor, and Nan McKay, as the subcontractor, were tasked with ensuring the cybersecurity of the technology infrastructure supporting the ERAP program. However, both companies admitted to failing to conduct the necessary pre-production cybersecurity testing, a crucial step that could have detected vulnerabilities and prevented potential breaches.

The ramifications of this failure became apparent when the ERAP website went live on June 1, 2021, only to be shut down within 12 hours due to a data breach that compromised the personally identifiable information (PII) of applicants. It was acknowledged that proper cybersecurity testing could have identified and rectified these issues before they escalated into a full-blown breach.

In a further violation of the contract terms, Guidehouse was found to have used a third-party data cloud software program to store PII without obtaining proper authorization from the OTDA, adding another layer of negligence to the cybersecurity lapses.

The response from the government and legal authorities was swift and assertive. Principal Deputy Assistant Attorney General Brian M. Boynton underscored the significance of upholding cybersecurity obligations tied to federal funding, emphasizing the Department of Justice’s commitment to pursuing violations of critical cybersecurity requirements aimed at safeguarding sensitive personal information.

U.S. Attorney Carla B. Freedman for the Northern District of New York echoed these sentiments, stressing the need for contractors to take their cybersecurity responsibilities seriously. The investigation into these allegations was sparked by a whistleblower lawsuit filed under the False Claims Act by Elevation 33 LLC, a company owned by a former employee of Guidehouse. As a result of the whistleblower’s actions, they will receive a share of $1,949,250 from the settlement amount.

The message sent by these settlements is clear – the government is unwavering in its commitment to holding entities accountable for cybersecurity failures, especially when they involve critical programs like the ERAP. Acting Inspector General Richard K. Delmar of the Department of the Treasury and New York State Comptroller Thomas P. DiNapoli reiterated the importance of safeguarding personal information and upholding the integrity of vital government initiatives.

The legal proceedings in this case, captioned United States ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., were overseen by Trial Attorney J. Jennifer Koh and Assistant U.S. Attorney Adam J. Katz, with support from the Department of the Treasury OIG and the Office of the New York State Comptroller.

In conclusion, these settlements serve as a stark reminder of the critical role that cybersecurity plays in safeguarding sensitive information and maintaining the trust of the public in essential government programs. The repercussions of cybersecurity failures can be severe, both in terms of financial penalties and reputational damage. Moving forward, it is imperative for all organizations, especially those handling sensitive data, to prioritize cybersecurity measures to prevent breaches and protect the integrity of their operations.

Source link