On Monday, June 17, 2024, the Department of Justice (DOJ) announced a settlement in which two U.S. based consulting companies agreed to pay a combined total of $11.3 million to resolve allegations that they violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements in government contracts. According to the DOJ, the companies failed to meet cybersecurity requirements in contracts intended to ensure the security of New York’s emergency rental assistance program (ERAP) application, which provided rental assistance to individuals in need during the COVID-19 pandemic.
The consulting companies, as the prime contractor and subcontractor, shared responsibility for ensuring that the ERAP application went through proper cybersecurity testing in the pre-production environment prior to public launch. As part of the settlement agreements the companies admitted that neither satisfied that obligation. Within 12 hours of the ERAP going live, the Office of Temporary and Disability Assistance shut down the ERAP website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet. The prime contractor also admitted to using a third-party data cloud software program to store PII without first obtaining permission from the New York government, in violation of its contract.
According to the DOJ press release, the United States’ investigation was prompted by a lawsuit filed under the whistleblower provisions of the FCA. These provisions allow private parties to sue on behalf of the government when they believe false claims have been made for government funds. The FCA whistleblower provisions also permit private parties who submit claims to receive a share of any recovery. The settlement agreements in this case allow the whistleblower to receive a $1,949,250 share of the settlement amounts.
When the DOJ first announced its Civil Cyber-Fraud Initiative in 2021, we noted that government contractors should expect increased FCA risk. The press release for this settlement tends to indicate that increased FCA risk should remain a concern for government contractors, as Principal Deputy Assistant Attorney General Brian M. Boynton stated that the “Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.” Boynton further noted that “federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments.”
Government contractors should continue to ensure they have implemented sufficient cybersecurity processes, procedures, and controls and confirm they make accurate certifications and fulsome disclosures to government agencies regarding their compliance with applicable cybersecurity requirements. As part of such efforts, government contractors and others who receive federal funds should closely assess all relevant contracts for cybersecurity obligations and ensure material compliance with such provisions, particularly as it relates to the protection of PII.