In 2021, the U.S. Department of Justice (“DOJ”) announced the launch of the Cyber-Fraud Initiative, a program utilizing the False Claims Act (“FCA”) to “pursue cybersecurity related fraud by government contractors and grant recipients.” Although the Initiative has netted less than 10 settlements, the two most recent serve as a reminder that data breaches with respect to government contracts can result in FCA exposure.

In its most recent enforcement effort as part of this Initiative, DOJ reached settlements with two consulting companies—Guidehouse Inc. (“Guidehouse”) and Nan McKay and Associates (“Nan McKay”)—in which both accepted responsibility for failing to comply with cybersecurity requirements in a federally funded contract and agreed to pay a total of $11.3 million to resolve related False Claims Act allegations.

This article explores implications of the settlements, as well as practical considerations for the industry.

Background on the cybersecurity incident

In 2021, as part of COVID-19 relief efforts, the federal government established emergency rental assistance programs (“ERAPs”), through which it would partner with state governments to administer financial rental assistance to eligible low-income households.

Under the federal program, the state of New York contracted with Guidehouse (the prime contractor), which in turn contracted with Nan McKay (the subcontractor) to create the technology and website through which New York’s ERAP would be administered. New York residents, in turn, would use the website created by Guidehouse and Nan McKay to submit online applications to request rental assistance under ERAP.

Although the contractors were obligated to perform “pre-production cybersecurity testing” of the website, both failed to complete such testing and proceeded to launch the site without it. Within 12 hours of the site’s June 1, 2021 launch, the state was forced to shut down the website after applicants’ personally identifiable information (“PII”) was “viewed or used by unauthorized parties.”

A qui tam FCA whistleblower lawsuit followed in 2022, brought by Elevation 33 LLC (a company owned by a former Guidehouse employee). On June 17, 2024, DOJ announced settlements with both Guidehouse and Nan McKay. Both companies admitted that, if either of them had “conducted the contractually-required pre-go-live cybersecurity testing,” it is possible that the “incident [could have been] prevented.” See Guidehouse Settlement; Nan McKay Settlement.

Guidehouse paid $7,600,000 and Nan McKay paid $3,700,000 as part of the settlements. In exchange, DOJ released both companies from claims under the FCA, the Program Fraud Civil Remedies Act (31 U.S.C. §§ 3801-3812), and various common law causes of action.

Takeaways from the settlements

Continued focus on Cyber-Fraud Initiative enforcement by both DOJ and whistleblowers

In its June 17 press release regarding the dual settlements, DOJ reiterated the Cyber-Fraud Initiative’s purpose: to “hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents.”

To date, DOJ has announced seven settlements (including its two most recent against Guidehouse and Nan McKay) connected to its Cyber-Fraud Initiative. Prior settlements under the Initiative have involved projects touching on several industries, including medical services, flight systems, health insurance, internet services, and COVID-19 contact tracing. Although the breadth of contexts indicates that DOJ continues to see the Initiative’s scope as broadly applicable across any industry where cybersecurity matters are involved, DOJ may be concerned about the relatively small number of total settlements it has been able to secure in connection with a nearly three-year-old program. The relative dearth of settlements may make DOJ particularly eager to identify additional cases that fit within the initiative’s scope.

Moreover, when DOJ announces initiatives—and especially when substantial settlements are reached under them—whistleblowers (known as “relators” in the FCA context) and their counsel are incentivized to come forward with allegations consistent with DOJ’s stated priorities. That is particularly relevant here, where it appears DOJ may be looking for additional matters to publicize in this space. The Guidehouse and Nan McKay settlements both follow from a qui tam action, through which the whistleblower received approximately $1.9 million of the $11.3 million paid by the settling entities.  These settlements may provide additional incentives for relators to file lawsuits involving alleged cybersecurity violations. Companies should therefore be cognizant of the potential for increased qui tam actions focused on cybersecurity issues and take precautions accordingly, including by encouraging employees who are concerned about potential cybersecurity lapses to report their concerns internally (without fear of retaliation) and by taking appropriate action in response to such employee concerns.

Subcontractors may face liability alongside prime contractors

The settlement with Nan McKay is unique among the Cyber-Fraud Initiative settlements because one of the settling defendants, Nan McKay, was a subcontractor—not the prime contractor. Although the prime contractor, Guidehouse, paid the majority of the total settlement amount, Nan McKay still paid $3.7 million, nearly half of what Guidehouse agreed to pay. And notably, in its settlement, Nan McKay admitted its responsibility for the cyber incident even though Guidehouse “expressly retained the right to perform its own application and webserver testing and scanning.”

The settlement with Nan McKay serves as a reminder that subcontractors are not immune from FCA liability for cybersecurity failures. Under the FCA, companies who contract directly with the government may be liable for knowingly submitting false claims, but liability also can attach to subcontractors who knowingly cause such false claims to be submitted, as Nan McKay was alleged to have done here by failing to complete the pre-production cybersecurity testing it had contracted with Guidehouse to perform. Thus, subcontracting companies should ensure they understand and comply with any relevant cybersecurity requirements, regardless of their level of ultimate responsibility on a contract, and appreciate that FCA liability can extend to them.

Businesses should be forthcoming with the government when faced with difficulty complying with cybersecurity requirements

In the settlement agreements, Guidehouse and Nan McKay admit that they each attempted to perform the required cybersecurity testing before the ERAP website went live on June 1, 2021, but had difficulty doing so. But instead of telling the state of New York about these testing difficulties—and perhaps asking whether the state would agree to either waive the testing requirements or postpone the website’s launch date until testing could be completed—both companies apparently stayed silent and hoped for the best. Their inaction resulted in the compromise of PII less than a day after the website launched and led to the multi-million FCA settlements each company has now entered into.

Although the companies may still have faced financial consequences for their contractual failures if they had been forthcoming with the government pre-launch about the challenges they encountered, they almost certainly would not have faced serious scrutiny under the FCA—which exposes companies to up to treble damages, plus penalties, for violations. That is because the FCA imposes liability only where a company acts knowingly. It would be difficult for the government to prove that a company engaged in knowing fraud if that company informed the government of the potentially violative conduct—here, the failure to comply with cybersecurity requirements (or complete the cybersecurity testing before June 1, 2021)—and the government acquiesced in relieving the company of that duty. That concept, encompassed in the colloquially termed “government knowledge defense,” is an inference that may defeat FCA liability when the defendant can prove that it “knew that the government knew of the falsity of the statement and was willing to pay anyway.” United States v. Bollinger Shipyards, Inc., 775 F.3d 255, 263 (5th Cir. 2014); see also U.S. ex rel. Gonzalez v. Planned Parenthood of L.A., 759 F.3d 1112, 1115-16 (9th Cir. 2014) (rejecting a relator’s FCA claim when the defendant had made relevant disclosures to the government and when state officials did not object regarding the disclosures).    

Given the significant and complex cybersecurity requirements the federal government is increasingly including in its contracts, a company that realizes it may be facing a cybersecurity compliance challenge stands to mitigate its ultimate financial exposure—and, at the very least, substantially reduce its risk of facing disruptive and costly FCA scrutiny—by affirmatively and proactively informing the government customer about such issues as soon as they are known, and ideally before security breaches occur.

Conclusion

DOJ’s settlements with Guidehouse and Nan McKay represent continued development in the area of cybersecurity compliance and enforcement (and particularly the DOJ’s Cyber-Fraud Initiative), and they serve as a reminder for entities involved in government contracting and programs—regardless of their level of involvement—to not only review their practices, conduct risk assessments, and stay updated with regulatory developments, but to consider the value of making proactive disclosures of issues concerning cybersecurity compliance before such issues give rise to potential FCA liability.