DOJ Cracks Down on Federal Contractors for Failing to Meet Cybersecurity Requirements, Issues $11.3M in Penalties

The US Justice Department has penalized two consulting firms a total of $11.3 million for failing to comply with cybersecurity requirements on federally funded projects. These lapses jeopardized sensitive government data, leading to significant settlements and the necessity for immediate enhancements in security protocols to protect federal information.

Contractors Guidehouse Inc. and Nan McKay and Associates were hired to ensure the effective implementation and security of the ERAP (emergency rental assistance program) technology used by New Yorkers to apply for rental assistance during the COVID-19 pandemic.

• Responsibility: Guidehouse and Nan McKay were responsible for cybersecurity testing of the ERAP Application before its public launch.
• Admission: Both companies admitted they did not fulfill their obligation to complete the required pre-production cybersecurity testing.
• Incident: The ERAP website went live on June 1, 2021, but was shut down 12 hours later due to a security breach exposing applicants' PII online.
• Cause: Guidehouse and Nan McKay acknowledged that the breach could have been prevented with proper security testing.
• Additional Violation: Guidehouse admitted to using a third-party data cloud software to store PII without permission from OTDA, violating its contract.

The investigation was initiated by a whistleblower lawsuit filed under the False Claims Act by a former Guidehouse employee. The Act allows private parties to sue on behalf of the government for false claims, or in this case what essentially amounts to a breach of contract.

No Tolerance for Cybersecurity Failures in Taxpayer-Funded Contracts#

The US Justice Department’s crackdown on federal contractors highlights a significant enforcement action targeting cybersecurity non-compliance. It marks a strong stance by the government to ensure contractors adhere to stringent cybersecurity measures to protect sensitive information. While such large-scale penalties are notable, it is part of ongoing efforts to hold contractors accountable for lapses in cybersecurity.

“Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department's Civil Division, said. “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”

The DOJ has recently been ramping up its enforcement of the Civil Cyber Fraud Initiative, which was launched in 2021 to keep contractors and grantees accountable for violating cybersecurity requirements. Last month a staffing company agreed to pay $2.7 million in response to allegations about its failure to implement adequate cybersecurity measures to protect health information during COVID-19 contact tracing.

Congress added incentives to the False Claims Act in 1986 that compensate whistleblowers with 15% to 30% of the recovery funds. In 2023, 712 lawsuits were filed by whistleblowers and the DOJ reported settlements and judgments exceeding $2.3 billion. This figure included a number of alleged violations of cybersecurity requirements in government contracts and grants:

• Jelly Bean Communications Design LLC and its manager paid $293,771 to settle allegations that they failed to secure personal information on a Florida children’s health insurance website, potentially exposing 500,000 applicants' data.
• Verizon Business Network Services LLC settled for over $4 million with the Justice Department for cybersecurity failures on contracts with the General Services Administration, after disclosing and addressing the issues.

In the case of Verizon’s infraction, the company mitigated the penalties by cooperating through multiple written self-disclosures, and an independent investigation and compliance review.

Implications for Companies Taking Federal Contracts and Grants#

The recent settlements and enforcement actions by the US Justice Department highlight the critical importance of adhering to cybersecurity requirements for companies engaged in federal contracts and grants.

It's essential for companies to actively maintain, patch, and update their software systems to secure personal and sensitive information. Neglecting these responsibilities can lead to breaches and subsequent legal and financial repercussions, as the DOJ has recently demonstrated it will hold contractors accountable for unauthorized access to US citizens’ private information.