Consulting Companies to Pay $11.3 million for Failing to Comply with Cybersecurity Requirements

By Jose Reyes Security Blog July 17, 2024

In a recent development, Guidehouse Inc., based in McLean, Virginia, and Nan McKay and Associates (Nan McKay), headquartered in El Cajon, California, have settled allegations related to violations of the False Claims Act. The allegations pertain to their failure to meet cybersecurity requirements in contracts designed to create a secure environment for low-income New Yorkers to apply for federal rental assistance during the COVID-19 pandemic. Guidehouse has paid $7.6 million, and Nan McKay has paid $3.7 million to resolve these allegations.

Background on the Emergency Rental Assistance Program (ERAP)

In early 2021, Congress initiated the emergency rental assistance program (ERAP) to assist eligible low-income households with rent, rental arrears, utilities, and other housing-related expenses during the pandemic. State and local governments were tasked with distributing the federal funds to eligible tenants and landlords. The New York Office of Temporary and Disability Assistance (OTDA) was responsible for managing New York’s ERAP.

Guidehouse, as the prime contractor, was responsible for New York’s ERAP, including the technology and services provided. Nan McKay, as a subcontractor, was tasked with delivering and maintaining the ERAP technology used for online applications.

Cybersecurity Failures and Data Breach

Guidehouse and Nan McKay were responsible for ensuring that the ERAP application underwent thorough cybersecurity testing before its public launch. However, both companies admitted they did not complete the required pre-production cybersecurity testing. As a result, when the ERAP application went live on June 1, 2021, it was shut down within twelve hours due to a data breach that compromised applicants’ personally identifiable information (PII).

Guidehouse further admitted to using a third-party data cloud software program to store PII without obtaining OTDA’s permission, violating their contract.

The settlements with Guidehouse and Nan McKay underline the serious consequences of failing to meet cybersecurity requirements in government contracts. These actions serve as a reminder to all contractors about the critical nature of cybersecurity in protecting sensitive personal information and upholding the integrity of your data.

Jose Reyes / About Author

Has a Bachelor's degree in Cybersecurity and Information Assurance, driven by a passion for protecting digital assets and ensuring data integrity in our interconnected world. As an engineer at Top Gallant Partners, I am gaining hands-on experience in cybersecurity practices, further enhancing my understanding of threat detection, risk assessment, and security management.
With coursework focusing on network security, cryptography, ethical hacking, and incident response, I am equipped with the skills needed to address the complex challenges facing organizations today.