In a significant legal resolution, government contractors Guidehouse Inc. and Nan McKay and Associates (Nan McKay) have settled allegations of violating the False Claims Act by failing to meet cybersecurity requirements in federally-funded government contracts. The prime contractor and subcontractor paid the government $7,600,000 and $3,700,000 respectively to resolve allegations that they knowingly failed to meet cybersecurity requirements and failed to protect low-income New Yorkers’ personal information. This case underscores the critical role whistleblowers play in identifying and addressing cybersecurity fraud, especially in government contracts. A former employee blew the whistle on this alleged contracting misconduct and will receive $1,949,250 or approximately 17% of the settlement.

A Brief Overview of the Allegations

Guidehouse Inc., based in McLean, Virginia, has paid $7.6 million, while Nan McKay, headquartered in El Cajon, California, has paid $3.7 million to settle claims that they did not meet necessary cybersecurity standards in their contract with the federal government. These contracts were part of a broader initiative to provide a secure online environment for low-income New Yorkers applying for federal rental assistance during the COVID-19 pandemic.

In early 2021, Congress initiated the Emergency Rental Assistance Program (ERAP) to help low-income households cover rent and other housing-related expenses. The New York Office of Temporary and Disability Assistance (OTDA) was responsible for administering this program in New York. Guidehouse was contracted as the prime contractor, with Nan McKay serving as a subcontractor responsible for the ERAP technology product.

Cybersecurity Breach and Its Aftermath

Despite their shared responsibility to ensure the ERAP Application underwent rigorous pre-production cybersecurity testing, both companies failed to fulfill this obligation. Consequently, upon the program’s launch on June 1, 2021, the ERAP website had to be shut down within 12 hours after it was discovered that applicants’ personally identifiable information (PII) had been compromised.

Guidehouse further admitted to using a third-party data cloud software to store PII without obtaining OTDA’s permission, a direct violation of their contract.

The Role of the Whistleblower

This settlement was catalyzed by a lawsuit under the whistleblower provisions of the False Claims Act. Elevation 33 LLC, an entity owned by a former Guidehouse employee, filed the lawsuit that prompted the investigation, leading to the whistleblower receiving a $1,949,250 reward.

The Importance of Cybersecurity Whistleblowers

Whistleblowers are essential in maintaining the integrity of cybersecurity in government contracts. “Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” said the Principal Deputy Assistant Attorney General. Industry insider whistleblowers bring to light misconduct that might otherwise go unnoticed, protecting sensitive information and ensuring that companies are held accountable. The Department of Justice’s Civil Cyber-Fraud Initiative aims to hold individuals and entities accountable if they knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices, or violate obligations to monitor and report cybersecurity incidents.