Another One: It Pays to Consult the DOJ under the Civil Cyber Fraud Initiative
What You Need to Know
Key takeaway #1
This is the third public FCA Civil Cyber Fraud settlement based on a state-level contract (after Jelly Bean Communications Design LLC, announced by DOJ in March 2023, and Insight Global LLC, announced by DOJ in May 2024) and the third settlement under DOJ’s Civil Cyber-Fraud Initiative initiated by a qui tam complaint. See United States ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., Case No. 1:22-cv-206 (N.D.N.Y.).
Key takeaway #2
Although a third party investigated and found that no PII was viewed or used by unauthorized parties, Guidehouse nevertheless agreed to pay $7.6 million and Nan McKay agreed to pay $3.7 million, for a total of $11.3 million, of which approximately ten percent ($1.125 million) was earmarked for restitution.
Key takeaway #3
This settlement is a reminder that DOJ will continue to rely on whistleblowers and relators, and pursue aggressive recoveries under its Civil Cyber-Fraud Initiative.
Key takeaway #4
There are many sources of cybersecurity obligations (e.g., statutes, agency regulations, contractual agreements, etc.) that may apply to any government contractor, including contractors who are not providing traditional cybersecurity services. Companies should be mindful of their compliance with all contractual provisions relating to cybersecurity, which may include the traditional implementation of security controls, the completion of cybersecurity testing and scanning, and obtaining approval to use third-party cloud software to store data that is incidental to contract performance.
Client Alert | 2 min read | 06.26.24
On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities: the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud. This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).
New York State created ERAP to distribute COVID-19 relief funding to eligible tenants and landlords in New York. The State’s Office of Temporary and Disability Assistance (OTDA) was responsible for administering the ERAP, and it designated Guidehouse as the prime contractor and Nan McKay as the subcontractor. The contract required Guidehouse to perform cybersecurity testing and scans prior to the launch of ERAP. Guidehouse included these requirements in its subcontract with Nan McKay, who in turn was responsible for delivering and maintaining the technology product used by New York residents, but Guidehouse also retained the right to perform its own application and webserver testing and scanning, as appropriate.
Nan McKay and Guidehouse conceded that neither completed the required pre‑production cybersecurity testing before New York’s ERAP went live on June 1, 2021. Twelve hours after the ERAP was launched, a cybersecurity incident occurred, which resulted in commercial search engines accessing PII from ERAP for a limited group of individuals. According to Guidehouse and Nan McKay settlement agreements, the conditions that allowed for the incident to occur may have been detected—and thus prevented—if either Guidehouse or Nan McKay had conducted the contractually-required pre-go-live cybersecurity testing. Additionally, Guidehouse acknowledged in its settlement agreement that it used a third-party data cloud software program to administer a program adjacent to the ERAP and to store PII, in violation of the contract’s standards and the requirement to seek and receive OTDA’s approval of unauthorized software.
Contacts
Partner
She/Her/Hers
Insights
Client Alert | 7 min read | 11.27.24
On Monday, November 18, 2024, the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) announced that it had finalized the regulatory changes previewed in April that will enhance certain CFIUS procedures and sharpen its penalty and enforcement authorities.[1] The changes go into effect on December 26, 2024 and as described in more detail below: (a) expand the types of information that CFIUS can require transaction parties and other persons (i.e., third-parties) submit when engaging with them on transactions that were not filed with CFIUS; (b) broaden the instances in which CFIUS may use its subpoena authority, including when seeking to obtain information from third persons not party to a transaction notified to CFIUS and in connection with assessing national security risk associated with non-notified transactions; and (c) substantially increase monetary penalties for violations of CFIUS regulations from a maximum of U.S. $250,000 to U.S. $5 million per violation, or the value of the transaction, whichever is greater.
Client Alert | 2 min read | 11.26.24
Commercial-Item Contractors Take Note: Federal Circuit to Rehear Percipient.ai En-Banc
Client Alert | 5 min read | 11.25.24
Circuit Courts Appear to Differ Regarding Constitutional Challenges to the NLRB
Client Alert | 5 min read | 11.25.24
Clean Energy Tax Credits and After the Election - What to Expect?
