New York's Emergency Rental Assistance Program contractors settle for $11.3 million in cybersecurity case
DOJ said two out-of-state contractors settled for $11.3 million after personal information leaked that belonged to New Yorkers applying for COVID housing aid
ALBANY, N.Y. (NEXSTAR) — Two out-of-state consulting firms paid a total of $11,300,000 to the federal government for violating the False Claims Act. According to the Department of Justice, they did not meet cybersecurity thresholds when making the online portal for low-income New Yorkers to apply for pandemic housing aid.
Guidehouse Inc., based in Virginia, was on the hook for $7,600,000, and Nan McKay and Associates based in California, for $3,700,000. According to the Department of Justice (DOJ), the settlement saw the companies admit that they failed to test whether their digital environment was secure enough to protect user identities.
On Jan. 5, 2021, Congress established the federal Emergency Rental Assistance Program (ERAP), which let low-income Americans apply for rental assistance during COVID. State governments had to create a way to hand out the funding to the tenants and landlords who qualified.
Here in New York, the Office of Temporary and Disability Assistance (OTDA) administered ERAP. They made a deal leaving Guidehouse in charge of the program, including the technology used to fill out applications. Guidehouse in turn subcontracted with Nan McKay to maintain that technology. Both companies were responsible for preproduction cybersecurity testing for the ERAP application.
Applications opened on June 1, 2021, and OTDA closed the ERAP website just 12 hours later, according to the DOJ. OTDA said that found evidence of some personally identifiable information online, compromised and potentially to scammers or other bad actors.
Guidehouse and Nan McKay say that they could have prevented the leak if they'd performed the cybersecurity testing they'd contractually agreed to. Guidehouse also admitted to another violation of its contract with OTDA; they briefly stored some personally identifiable information with a third-party cloud service.
The DOJ said an ex-Guidehouse employee whistleblower prompted their investigation. Of the $11.3 million paid to the federal government, the whistleblower gets $1,949,250.
The Office of the New York State Comptroller assisted. Comptroller Thomas P. DiNapoli said in a written statement, “This settlement sends a strong message to New York State contractors that there will be consequences if they fail to safeguard the personal information entrusted to them or meet the terms of their contracts. Rental assistance has been vital to our economic recovery and the integrity of the program needs to be protected.”