When a company’s protected data is compromised, potential litigants generally look to the company itself as the target for damages claims. The list of recent cases filed against the company suffering the data breach is long and, by now, familiar. In addition to potential damages claims, the breached company also must sustain the cost of remediation and attorneys’ fees, both in regard to its “first party” costs and with regard to third party claims. In very large breaches, it’s not uncommon for the company’s cost to far outstrip its insurance coverage, even if it has very good coverage. Historically, the breached entity has had nowhere else to look to try to further defray its costs.
This dynamic is potentially changing, however. In a recently filed case in the United States District Court for the District of Nevada, Affinity Gaming has brought suit against its previous cybersecurity consulting firm, Trustwave, alleging that Trustwave failed to contain a data breach Affinity hired Trustwave to remediate. Affinity alleges that, in 2014, it was the victim of a breach that compromised the sensitive financial information of more than 300,000 customers. Affinity hired Trustwave to investigate, diagnose, and remedy this data breach. Trustwave subsequently concluded its investigation, allegedly represented to Affinity that its data breach was contained, and purportedly provided recommendations to “fend off future attacks.”
Affinity alleges, however, that Trustwave’s representations were false. After the engagement with Trustwave concluded, Affinity discovered that it was suffering an ongoing data breach, which it alleges was still part of the first breach, causing it to retain a second data security firm, Mandiant. According to Affinity’s Complaint, Mandiant’s subsequent investigation revealed that Trustwave’s representations were untrue and its previous work “woefully inadequate.” Affinity alleges that Mandiant’s investigation also revealed that Trustwave examined only a small subset of Affinity’s data systems and failed to identify the means by which the attacker breached Affinity’s data security.
While the allegations of fraud, breach of contract, and gross negligence in this lawsuit are substantial, the most interesting aspect of the case is whether it portends a future trend. The extension of this sort of “professional liability” to cybersecurity firms will be critical to monitor – both for businesses and for security professionals alike. And, depending on the result of the Affinity Gaming case, the landscape of the cybersecurity industry might be shifting in a major way.