Cybersecurity Lawsuit Poses Vendor Liability Question

Photo by Luke MacGregor (Bloomberg)

In October 2013, Affinity Gaming, a casino operator based in Nevada, heard from customers that their credit cards had been hacked. Before too long, the company’s IT department concluded it likely suffered a data breach.

Within days, professional forensic data security investigators from Chicago-based Trustwave Holdings Inc. were analyzing the company’s system, and suggesting remedial measures.

That account is taken from a federal lawsuit that Affinity filed in Las Vegas. It accuses the IT security company Trustwave it hired to conduct a forensic investigation of failing to proscribe appropriate remedial measures and not removing the malicious malware. The suit states that within three months, a second data breach occurred. Affinity is suing Trustwave for fraud, fraudulent inducement, constructive fraud, gross negligence, negligent misrepresentation, breach of contract and declaratory judgment.

The lawsuit, filed in late December and first noticed by Ars Technica, and poses an interesting test case of whether a security vendor can be held liable for not ensuring the complete safety of a company.

“Absolutely, no one on earth can come in and look at a system and say ‘yeah, you’re 100 percent secure’,” said Michael Overly, an information security lawyer at Foley & Lardner in Los Angeles. “The only way to be secure is if you disconnect all the computers.”

Overly, who holds six different cyber-related certifications including as a Certified Information Systems Security Professional, advises companies like Affinity on how to negotiate contracts with their vendors. He said it is standard practice for security vendors to contractually limit their liability to the fees paid for services rendered.

One exception would be if a security vendor committed gross negligence, which cannot be written out of a contract, by law, in many states, according to Overly. Gross negligence is extremely difficult to prove: Affinity would need to show there was egregious, willful conduct on Trustwave’s behalf, he said.

The complaint notes that Trustwave stated to Affinity that “almost all” components of the malicious malware — an umbrella term used to describe infecting software — were removed or deactivated. But it also accuses Trustwave of “inexplicably” failing to investigate a communication link created by a piece of malware it did not catch.

Affinity’s attorney Robert Gilmore, of Stein, Mitchell Cipollone, Beato & Missner, declined to comment.

Trustwave, a private company, was picked from a list of security vendors put forward by Affinity’s insurance company, according to the complaint.

A company spokesperson declined to comment beyond its statement of denial: “We dispute and disagree with the allegations in the lawsuit, and we will defend ourselves vigorously in court.”

It is not the first time that the company has been under legal fire: In March 2014, it was sued by two Massachusetts’ savings banks as part of a class-action related to the Target 2013 data breach. That suit alleged Trustwave had certified Target as being in compliance with credit card data security standards just a month before the hack began. However it was dropped from that suit.

The lawsuit that Affinity filed in late December does not say what it paid Trustwave. But it is seeking damages that include the cost of hiring a second information security company, Mandiant, in April 2014, as well as other outside consultants, the cost from credit card companies and banks that had to issue new credit cards to customers, as well as the cost of publishing notice of a second data breach.

“Had Trustwave lived up to its representations,” the complaint states, “Affinity Gaming would have avoided all of these financial and reputational injuries. Affinity Gaming’s monetary harm is considerably in excess of $100,000.”