Photo of Nkechi KanuPhoto of Brian Tully McLaughlinPhoto of Jennie Wang VonCannonPhoto of Evan D. Wolff

On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities:  the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud.  This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).

New York State created ERAP to distribute COVID-19 relief funding to eligible tenants and landlords in New York.  The State’s Office of Temporary and Disability Assistance (OTDA) was responsible for administering the ERAP, and it designated Guidehouse as the prime contractor and Nan McKay as the subcontractor.  The contract required Guidehouse to perform cybersecurity testing and scans prior to the launch of ERAP.  Guidehouse included these requirements in its subcontract with Nan McKay, who in turn was responsible for delivering and maintaining the technology product used by New York residents, but Guidehouse also retained the right to perform its own application and webserver testing and scanning, as appropriate.  

Nan McKay and Guidehouse conceded that neither completed the required pre‑production cybersecurity testing before New York’s ERAP went live on June 1, 2021.  Twelve hours after the ERAP was launched, a cybersecurity incident occurred, which resulted in commercial search engines accessing PII from ERAP for a limited group of individuals.  According to Guidehouse and Nan McKay settlement agreements, the conditions that allowed for the incident to occur may have been detected—and thus prevented—if either Guidehouse or Nan McKay had conducted the contractually-required pre-go-live cybersecurity testing.  Additionally, Guidehouse acknowledged in its settlement agreement that it used a third-party data cloud software program to administer a program adjacent to the ERAP and to store PII, in violation of the contract’s standards and the requirement to seek and receive OTDA’s approval of unauthorized software.

What You Need to Know

  • Key takeaway #1This is the third public FCA Civil Cyber Fraud settlement based on a state-level contract (after Jelly Bean Communications Design LLC, announced by DOJ in March 2023, and Insight Global LLC, announced by DOJ in May 2024) and the third settlement under DOJ’s Civil Cyber-Fraud Initiative initiated by a qui tam complaint.  See United States ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., Case No. 1:22-cv-206 (N.D.N.Y.).  
  • Key takeaway #2Although a third party investigated and found that no PII was viewed or used by unauthorized parties, Guidehouse nevertheless agreed to pay $7.6 million and Nan McKay agreed to pay $3.7 million, for a total of $11.3 million, of which approximately ten percent ($1.125 million) was earmarked for restitution. 
  • Key takeaway #3This settlement is a reminder that DOJ will continue to rely on whistleblowers and relators, and pursue aggressive recoveries under its Civil Cyber-Fraud Initiative.
  • Key takeaway #4There are many sources of cybersecurity obligations (e.g., statutes, agency regulations, contractual agreements, etc.) that may apply to any government contractor, including contractors who are not providing traditional cybersecurity services.  Companies should be mindful of their compliance with all contractual provisions relating to cybersecurity, which may include the traditional implementation of security controls, the completion of cybersecurity testing and scanning, and obtaining approval to use third-party cloud software to store data that is incidental to contract performance.  
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Photo of Brian Tully McLaughlin Brian Tully McLaughlin

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a…

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a variety of complex claims, disputes, and recovery matters. Tully’s False Claims Act experience spans procurement fraud, healthcare fraud, defense industry fraud, and more. He conducts internal investigations and represents clients in government investigations who are facing fraud or False Claims Act allegations. Tully has successfully litigated False Claims Act cases through trial and appeal, both those brought by whistleblowers / qui tam relators and the Department of Justice alike. He also focuses on affirmative claims recovery matters, analyzing potential claims and changes, counseling clients, and representing government contractors, including subcontractors, in claims and disputes proceedings before administrative boards of contract appeals and the Court of Federal Claims, as well as in international arbitration. His claims recovery experience includes unprecedented damages and fee awards. Tully has appeared and tried cases before judges and juries in federal district courts, state courts, and administrative boards of contract appeals, and he has argued successful appeals before the D.C. Circuit, the Federal Circuit, and the Fourth and Seventh Circuits.

Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.