In 2021, the U.S. Department of Justice introduced a civil cyber fraud initiative targeted on contractors who fail to adjust to required cybersecurity requirements. The initiative goals to carry contractors accountable for knowingly offering faulty cybersecurity services or products, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating their obligations to watch and report cybersecurity incidents or breaches.
On June 17, 2024, the Department of Justice introduced that two consulting companies had agreed to pay $11.3 million to resolve alleged violations of the False Claims Act (FCA) arising from contracts meant to offer a safe on-line setting for low-income New York residents to use for federal rental help in the course of the COVID-19 pandemic. In settling the matter, the businesses didn’t admit legal responsibility however accepted accountability for his or her actions.
The Emergency Rental Assistance Program (ERAP) was established by the Legislature in 2021 to offer monetary help to eligible low-income households. Financial help is meant to cowl lease, late lease, utilities, and different housing-related bills. The New York State Office of Temporary and Disability Assistance (OTDA) was chargeable for facilitating the disbursement of EARP funds to eligible tenants and landlords within the state. ODTA contracted with the consulting agency Guidehouse, Inc. to successfully administer this system, together with offering and sustaining the related ERAP expertise. Guidehouse subcontracted with Nan McKay & Associates (Nan McKay) to offer and keep the ERAP expertise product utilized by candidates to use for monetary help.
Under its contract with OTDA, Guidehouse was required to conduct cybersecurity testing in a pre-production setting earlier than opening the ERAP on-line utility course of to the general public. Guidehouse included this requirement in its subcontract with Nan MacKay, whereas retaining the fitting to conduct its personal cybersecurity testing of functions, if obligatory. However, neither firm performed the required pre-production cybersecurity testing earlier than the appliance system went stay. Within 12 hours, OTDA decided that candidates’ private data had been leaked and was accessible on the web, and needed to shut down the system. Both firms admitted that this example might have been averted if both firm had performed the cybersecurity testing required by their contract. In addition to failing to conduct the required cybersecurity testing, Guidehouse admitted that it saved private data in a third-party knowledge cloud software program program with out OTDA’s permission, which was additionally a breach of contract.
This case serves as a reminder that each one contractors should take their cybersecurity obligations severely or they might discover themselves topic to motion by the FCA.