In a recent development, Guidehouse Inc., based in McLean, Virginia, and Nan McKay and Associates (Nan McKay), headquartered in El Cajon, California, have settled allegations related to violations of the False Claims Act. The allegations pertain to their failure to meet cybersecurity requirements in contracts designed to create a secure environment for low-income New Yorkers to apply for federal rental assistance during the COVID-19 pandemic. Guidehouse has paid $7.6 million, and Nan McKay has paid $3.7 million to resolve these allegations.
Background on the Emergency Rental Assistance Program (ERAP)
In early 2021, Congress initiated the emergency rental assistance program (ERAP) to assist eligible low-income households with rent, rental arrears, utilities, and other housing-related expenses during the pandemic. State and local governments were tasked with distributing the federal funds to eligible tenants and landlords. The New York Office of Temporary and Disability Assistance (OTDA) was responsible for managing New York’s ERAP.
Guidehouse, as the prime contractor, was responsible for New York’s ERAP, including the technology and services provided. Nan McKay, as a subcontractor, was tasked with delivering and maintaining the ERAP technology used for online applications.
Cybersecurity Failures and Data Breach
Guidehouse and Nan McKay were responsible for ensuring that the ERAP application underwent thorough cybersecurity testing before its public launch. However, both companies admitted they did not complete the required pre-production cybersecurity testing. As a result, when the ERAP application went live on June 1, 2021, it was shut down within twelve hours due to a data breach that compromised applicants’ personally identifiable information (PII).
Guidehouse further admitted to using a third-party data cloud software program to store PII without obtaining OTDA’s permission, violating their contract.
The settlements with Guidehouse and Nan McKay underline the serious consequences of failing to meet cybersecurity requirements in government contracts. These actions serve as a reminder to all contractors about the critical nature of cybersecurity in protecting sensitive personal information and upholding the integrity of your data.
1