Many organizations, particularly those outside of the technology sector, rely heavily on third-parties—including cyber security specialists, lawyers, and public relations firms—to help pick up the pieces after a data breach. But what happens when a third-party vendor doesn’t fix the problem?
We’ve written about managing third-party risk on this blog several times, and from a legal perspective, we’ve focused on dealing with those risks through careful planning and thoughtful contracting. But what other steps can an organization take if a third-party vendor lets them down? That’s exactly what one recently-filed lawsuit seeks to find out.
In Affinity Gaming v. Trustwave Holdings Inc., 2:15-cv-02464-GMN-PAL, filed on December 24, 2015 in Nevada federal court, Affinity, a Nevada casino operator, is seeking damages and a declaratory judgment against Trustwave, a Chicago-based cyber security firm, that Affinity says failed to sufficiently repair a data breach of its customer credit card information. This lawsuit is one of the first of its kind, and if Affinity is successful, it could open a new avenue of liability arising out of a data breach.
In its complaint, Affinity claims it first learned that it experienced a data breach in October 2013, when customers notified Affinity of fraudulent credit card transactions, and shortly thereafter hired Trustwave to “identify and help remedy the causes of the data breach, as well as facilitate [Affinity’s] implementation of measures to help prevent further such breaches.” Affinity and Trustwave entered into an “Incident Response Agreement” that purported to cover the scope of Trustwave’s work. From November 2013 to January 2014, Trustwave completed its investigation and response, and provided Affinity with a “Forensic Investigation Report,” indicating that Trustwave had identified and contained the source of the Affinity breach. But according to Affinity, Trustwave’s representations turned out to be false.
Affinity claims that, shortly after Trustwave certified it had fixed the problem, Affinity conducted a routine penetration test (pursuant to state gaming law) and discovered much to its dismay that its data systems remained vulnerable. According to Affinity, its subsequent investigation—conducted with the assistance of Mandiant, another cyber security firm—revealed that Trustwave “had failed to identify the entire extent of the breach,” and wrongly concluded that a “backdoor” to Affinity’s network was “inert,” when in fact it was being used by hackers on a continuing basis. Among other things, Affinity claims that Trustwave failed to review Affinity’s remote access logs, failed to identify malware programs on Affinity’s servers, failed to investigate an open network connection to an external system, and provided “pointless” recommendations that failed to address the source of the breach.
In addition to seeking to recover its fees paid to Trustwave, Affinity is seeking to recover the fees it subsequently paid to Mandiant, the fees it paid to banks and credit card processors to cover the cost of re-issuing stolen credit card numbers, and its costs associated with defending itself in several Attorney General investigations arising from the breach. More significantly, Affinity is also seeking punitive damages for what it describes as Trustwave’s “reckless, willful, and wanton” negligence in performing its investigation, and a declaratory judgment holding Trustwave liable for “any and all future losses arising from Trustwave’s misconduct.” Such extraordinary remedies are rarely awarded, and should Affinity prevail in its suit, it would certainly change the way risk is typically allocated when third-party vendors are retained.
At the time of this writing, Trustwave has not yet responded to Affinity’s allegations, and its side of the story remains to be told. Responding to a request for comment by the Financial Times, however, Trustwave stated “[w]e dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.”
One interesting aspect of Affinity’s suit is that it only mentions the Incident Response Agreement it entered into with Trustwave in passing, and does not rely on any specific provisions of that agreement as a basis for its claims. It is likely that the Incident Response Agreement contains disclaimers and other limitations on Trustwave’s potential liability that Trustwave will rely on in its defense.
We will continue to follow developments in this suit, which—regardless of its outcome—will no doubt set new precedents for the reach of data breach liability. Though for the time being this suit is unique, there can be little doubt that more like it will follow as data breaches become increasingly common and managing their fallout becomes an increasingly larger burden for organizations large and small.