On June 17, the Department of Justice (DOJ) announced settlements of alleged False Claims Act (FCA) violations associated with cybersecurity requirements in contracts to provide a secure environment for online applications for federal housing assistance. Guidehouse Inc. and Nan McKay and Associates paid $7.6 million and $3.7 million, respectively, to settle the civil claims initially brought by a whistleblower under the FCA’s qui tam provisions. These settlements occurred pursuant to DOJ’s Civil Cyber-Fraud Initiative (Initiative), which leverages the FCA to impose liability upon federal contractors that, among other things, knowingly misrepresent cybersecurity policies and procedures to the federal government, and it shows that DOJ remains serious about contractor cybersecurity. (The DOJ’s announcement of the Initiative is available here.) In connection with the settlements, Principal Deputy Assistant Attorney General Brian M. Boynton, head of the DOJ’s Civil Division, said, “Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments. The [DOJ] will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”

Background

During the COVID-19 pandemic, the U.S. government implemented an emergency rental assistance program (ERAP) for participating states to provide financial assistance—rent, rental arrears, utilities, and other housing expenses—to certain low-income households. Guidehouse contracted with New York to administer the ERAP, including technology solutions and customer service. Guidehouse subcontracted with Nan McKay to deliver and maintain the ERAP technology solution for online financial assistance applications.

As prime contractor and subcontractor, Guidehouse and Nan McKay had contractual responsibility for ensuring that the solution satisfied cybersecurity requirements in pre-production testing. Shortly before the go-live date, Nan McKay advised Guidehouse that it would not achieve one of the pre-production cybersecurity tests in a timely manner because it was having difficulty with its test tool. Guidehouse assumed responsibility for this pre-production test, but, using its tool, it also could not complete the cybersecurity test before the go-live date. Rather, Guidehouse made the solution available to the public on June 1, 2021, and, within twelve hours, New York disabled the solution when it discovered that certain applicant personally identifying information (PII) had been compromised and was available on the internet. In the settlements, Guidehouse and Nan McKay admitted that the required testing may have prevented the exposure of PII. Further, Guidehouse admitted to using a third-party cloud provider to store PII without New York’s required contractual consent. (The settlement agreements are available here and here, and the DOJ press release is available here.)

By bringing the action pursuant to the FCA’s qui tam provisions, the whistleblower became eligible to share in a percentage of the government’s recovery after the government intervened. Here, the whistleblower will receive an approximately $1.95 million share of the $11.3 million settlement total.

Key Takeaways

• The DOJ continues to use contractual cybersecurity obligations as an avenue to enforce FCA actions. As these enforcement actions expand in quantity and scope, companies may wish to continue monitoring and managing their cybersecurity representations and contractual obligations.
• As long as whistleblowers continue to recover significant amounts for commencing qui tam actions under the FCA, companies that misrepresent their cybersecurity compliance or otherwise hide potential breaches of their government contracts risk private litigation by employees with firsthand knowledge of false statements. They also risk government intervention into those actions, which increases exposure significantly.
• The largest FCA settlements tend to involve companies without an effective compliance program. A strong compliance program with an internal reporting mechanism can both lessen the risk that an employee runs to court and potentially mitigate FCA damages.
• The DOJ has recently been emphasizing voluntary self-disclosures. This enforcement strategy may offer opportunities to a company when confronted with FCA allegations. Determining whether to self-disclose, however, requires a prompt and effective internal investigation—preferably performed by outside counsel to keep the investigation privileged until the company can make an appropriate determination.