BreachExchange mailing list archives
Trustwave Case Highlights Cyber-Risk to Professional Service Providers
From: inga () riskbasedsecurity com (Inga Goddijn)
Date: Wed, 6 Apr 2016 15:40:45 -0500
http://www.jdsupra.com/legalnews/trustwave-case-highlights-cyber-risk-to-99539/ In a case that we believe reflects a real future trend in the cyber-risk industry, Las Vegas casino operator Affinity Gaming (âAffinityâ) is suing Chicago-based IT security firm Trustwave Holdings, Inc. (âTrustwaveâ) for breach of contract, negligence, and fraud based on Trustwaveâs alleged failure to fully eliminate malware from Affinityâs computer systems. According to the complaint, Affinity first discovered in early October 2013 that hackers had compromised its network security and stolen customer credit card information. After notifying its cyber insurer of the breach, Affinity Gaming was referred to Trustwave for âprofessional forensic data security investigatorâ (PFI) services. The parties executed an Incident Response Agreement outlining the scope of Trustwaveâs services. After an investigation at Affinityâs offices, Trustwave produced a PFI report stating that it had identified, contained, and removed the malware responsible for the breach. Trustwave reported that the hackers responsible for the breach had likely removed the malware themselves sometime in mid October after being detected. In April 2014, Affinity retained Ernst & Young to perform penetration testing on its systems in compliance with new gaming regulations. The test allegedly revealed that the malware previously identified by Trustwave had, in fact, not been completely contained and removed as reported. Consequently, Affinity Gaming hired another data security firm Mandiant, a direct competitor to Trustwave, to perform a second investigation. According to Affinity, Mandiantâs review allegedly revealed that Trustwaveâs prior investigation failed to identify the original malwareâs remote access point and two other related malware programs and that hackers had continued to compromise Affinityâs systems during Trustwaveâs remediation efforts. In addition to the fees it paid to Trustwave, Affinity seeks to recover from Trustwave the costs of Mandiantâs services, legal expenses associated with its defense of multiple investigations, and fees paid to financial institutions related to the re-issuance of compromised credit cards. On February 29, 2016, Trustwave filed a motion to dismiss Affinity Gamingâs complaint for failure to state a claim. Trustwave argues, among other things, that the Incident Response Agreement demonstrates that Trustwave only âagreed to investigate certain specific cardholder data components of Affinityâs network; not Affinityâs entire network.â Trustwave argues that Affinity failed to plead its fraud-based claims with the required specificity and that such claims are ânothing more than dressed-up breach of contract claims.â Trustwave further contends that Affinity Gamingâs tort claims are barred by the economic loss doctrine, and that its declaratory judgment claim is âwholly duplicativeâ of its other causes of action. Affinity filed a response to Trustwaveâs motion on April 4, 2016 arguing that its constructive and equitable fraud claims establish a special relationship with Trustwave, âin light of Trustwaveâs specialized knowledge and skills and Affinityâs unique vulnerability to and reliance on Trustwaveâs superior position.â Affinity refutes that any of its claims are barred by the economic loss doctrine because they âtarget both Trustwaveâs contractual misrepresentationsââmeaning misrepresentations made in the Incident Response Agreement itselfââas well as Trustwaveâs breaches of duties independent of its contractual duties.â According to the Court docket, Trustwave has until April 19, 2016 to reply. It is still too early to tell which side will prevail, though Trustwave does have the benefit of strong contractual language executed by âsophisticated business entities,â and will likely emphasize this in its reply brief. The Trustwave case has captured the attention of the entire cyber-risk industry because it portends to be an indication of a coming trend in the theories of liability associated with cyber-risk. It puts professional technology services providers and IT firms on notice that they are also held to a standard of care that if deviated from has the potential to cause third party damages. Technology service providers and IT firms should always discuss risk with their own counsel to receive comprehensive legal advice and maintain privilege. In doing so, service providers should reevaluate the strength and scope of their own engagement agreements, subcontracts, and the sufficiency of performance standards of professional operations. They should also seek appropriate insurance coverage including cyber-insurance to further mitigate their risk. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160406/48d1ce98/attachment.html>
Current thread:
- Trustwave Case Highlights Cyber-Risk to Professional Service Providers Inga Goddijn (Apr 06)