June 17, 2024 at 07:52PM
Two consulting firms, Guidehouse and Nan McKay and Associates, agreed to pay a total of $11.3 million to settle allegations of cybersecurity failings in the rollout of COVID-19 assistance. The fines were split with Guidehouse paying $7.6 million and NMA $3.7 million. The firms failed to perform required cybersecurity testing, leading to a data breach in New York’s emergency rental assistance program.
From the meeting notes, it’s clear that both Guidehouse and Nan McKay and Associates have agreed to pay a total of $11.3 million to resolve allegations of cybersecurity failings over their roll-out of COVID-19 assistance. The breakdown of the fines includes Guidehouse agreeing to pay $7.6 million and NMA agreeing to pay $3.7 million. Additionally, an ex-Guidehouse employee who blew the whistle on the affair received $1,949,250 as part of the settlements.
The firms were selected by New York to administer the state’s emergency rental assistance program (ERAP) established by Congress as part of the federal government’s COVID relief funding efforts. However, both firms failed to ensure proper cybersecurity testing of the ERAP application before deployment, leading to a breach and loss of sensitive information. As part of the settlements, both firms acknowledged that performing the contractually mandated security testing could have prevented the data loss.
Lastly, Guidehouse also admitted to using a third-party data cloud software program to store Personally Identifiable Information (PII) without obtaining the state’s approval, which was also in violation of its contract.
Overall, the meeting notes provide a detailed account of the allegations and settlements related to the cybersecurity failings of both consulting firms in their roll-out of COVID-19 assistance.