On Monday, June 17, 2024, the Department of Justice (DOJ) announced settlements involving $11.3 million in payments for consulting companies failing to comply with cybersecurity requirements in federally funded contracts. The head of DOJ’s Civil Division stated, “Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments. The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.” DOJ has shown no signs of pausing use of the False Claims Act (FCA) as a tool to enforce cybersecurity compliance.
Whistleblower Complaint and DOJ Investigation
According to DOJ’s press release, the United States’ investigation was prompted by a whistleblower, Elevation 33 LLC, an entity owned by a former employee of defendant Guidehouse Inc., filing suit in the United States District Court for the Northern District of New York (U.S. ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., Case No. 1:22-cv-206).
Allegations: New Program, Compromised Data
The allegations centered around the Emergency Rental Assistance Program (ERAP), a new program the federal government established in 2021. ERAP was designed to provide financial assistance to eligible low-income households relating to expenses during the COVID-19 pandemic. Participating state governments were required to establish programs to distribute the federal funding. The state of New York entered into a contract with Guidehouse and Nan McKay and Associatesfor delivering and maintaining the ERAP technology used in New York to fill out and submit online ERAP applications. The New York ERAP website went live on June 1, 2021, but was shut down 12 hours later because certain applicants’ personally identifiable information had been compromised and portions were available on the internet.
Guidehouse and Nan McKay shared responsibility for ensuring that the ERAP application underwent cybersecurity testing in a pre-production environment before it was launched. Both companies have acknowledged that they did not conduct such testing, and that had either conducted the contractually required cybersecurity testing, the conditions that resulted in the breach might have been detected and the incident prevented. As part of the settlement, Guidehouse admitted to violating contractual cybersecurity obligations because, for a short period of time in 2021, Guidehouse used a third-party data cloud software program to store personally identifiable information without first obtaining permission from the appropriate New York agency.
Big Settlement, Big Whistleblower Reward
As a result of the $11.3 million settlement, the whistleblower LLC will receive a $1,949,250 share of the settlement amounts. This settlement looks eerily similar to DOJ’s 2023 FCA settlement with Verizon Business Network Services LLC based on Verizon’s failure to comply with cybersecurity requirements with respect to services provided to federal agencies. This pattern demonstrates the DOJ’s cyber priorities. As we wrote in October 2023, “even as cybersecurity requirements become more complex, tried and true compliance strategies remain key to mitigating damages.”
Compliance Tips for Companies
Initially, companies need to have policies and procedures in place that make sure contractual cybersecurity obligations are understood and implemented. In addition, companies should encourage a culture of self-reporting and agency. A self-reporting hotline is often a key component of an effective corporate compliance and ethics program. Importantly, make sure employees know that the hotline is the appropriate place to report any cybersecurity concerns –concerns and not just breaches. Employees tend to report concerns only when they feel a sense of agency or otherwise feel that their reported concerns are being addressed. This, of course, starts with the tone at the top. Consider ways to show that cybersecurity complaints are taken seriously – perhaps by consistently addressing cybersecurity concerns at staff meetings or otherwise publicizing the work done to ameliorate employees’ concerns.
To avoid potential FCA liability, companies need to be absolutely aware of any cybersecurity requirements in government contracts, including how compliance is certified and how to monitor and report any cybersecurity incidents. When cybersecurity concerns are reported, no matter whether corroborated or otherwise, companies must follow-up on the complaint and with the complainant. Companies must consider ways to “close the feedback loop” and develop a system to follow up with complainants and to keep them informed about what the company has done about their concerns. Companies must take the investigation seriously and involve experienced cyber investigations counsel sooner rather than later. Counsel can help determine if a written self-disclosure to a government agency is necessary, help craft the strategy, and guide an investigation that may ultimately reduce liabilities or mitigate damages.