Litigation Watch: Can a Third-Party Vendor Be Left Holding the Bag After a Breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/litigation-watch-can-a-third-party-66078/

Many organizations, particularly those outside of the technology sector,
rely heavily on third-parties—including cyber security specialists,
lawyers, and public relations firms—to help pick up the pieces after a data
breach.  But what happens when a third-party vendor doesn’t fix the problem?

We’ve written about managing third-party risk on this blog several times,
and from a legal perspective, we’ve focused on dealing with those risks
through careful planning and thoughtful contracting.  But what other steps
can an organization take if a third-party vendor lets them down?  That’s
exactly what one recently-filed lawsuit seeks to find out.

In Affinity Gaming v. Trustwave Holdings Inc., 2:15-cv-02464-GMN-PAL, filed
on December 24, 2015 in Nevada federal court, Affinity, a Nevada casino
operator, is seeking damages and a declaratory judgment against Trustwave,
a Chicago-based cyber security firm, that Affinity says failed to
sufficiently repair a data breach of its customer credit card information.
This lawsuit is one of the first of its kind, and if Affinity is
successful, it could open a new avenue of liability arising out of a data
breach.

In its complaint, Affinity claims it first learned that it experienced a
data breach in October 2013, when customers notified Affinity of fraudulent
credit card transactions, and shortly thereafter hired Trustwave to
“identify and help remedy the causes of the data breach, as well as
facilitate [Affinity’s] implementation of measures to help prevent further
such breaches.”  Affinity and Trustwave entered into an “Incident Response
Agreement” that purported to cover the scope of Trustwave’s work.  From
November 2013 to January 2014, Trustwave completed its investigation and
response, and provided Affinity with a “Forensic Investigation Report,”
indicating that Trustwave had identified and contained the source of the
Affinity breach.  But according to Affinity, Trustwave’s representations
turned out to be false.

Affinity claims that, shortly after Trustwave certified it had fixed the
problem, Affinity conducted a routine penetration test (pursuant to state
gaming law) and discovered much to its dismay that its data systems
remained vulnerable.  According to Affinity, its subsequent
investigation—conducted with the assistance of Mandiant, another cyber
security firm—revealed that Trustwave “had failed to identify the entire
extent of the breach,” and wrongly concluded that a “backdoor” to
Affinity’s network was “inert,” when in fact it was being used by hackers
on a continuing basis.  Among other things, Affinity claims that Trustwave
failed to review Affinity’s remote access logs, failed to identify malware
programs on Affinity’s servers, failed to investigate an open network
connection to an external system, and provided “pointless” recommendations
that failed to address the source of the breach.

In addition to seeking to recover its fees paid to Trustwave, Affinity is
seeking to recover the fees it subsequently paid to Mandiant, the fees it
paid to banks and credit card processors to cover the cost of re-issuing
stolen credit card numbers, and its costs associated with defending itself
in several Attorney General investigations arising from the breach.  More
significantly, Affinity is also seeking punitive damages for what it
describes as Trustwave’s “reckless, willful, and wanton” negligence in
performing its investigation, and a declaratory judgment holding Trustwave
liable for “any and all future losses arising from Trustwave’s misconduct.”
 Such extraordinary remedies are rarely awarded, and should Affinity
prevail in its suit, it would certainly change the way risk is typically
allocated when third-party vendors are retained.

At the time of this writing, Trustwave has not yet responded to Affinity’s
allegations, and its side of the story remains to be told.  Responding to a
request for comment by the Financial Times, however, Trustwave stated “[w]e
dispute and disagree with the allegations in the lawsuit and we will defend
ourselves vigorously in court.”

One interesting aspect of Affinity’s suit is that it only mentions the
Incident Response Agreement it entered into with Trustwave in passing, and
does not rely on any specific provisions of that agreement as a basis for
its claims.  It is likely that the Incident Response Agreement contains
disclaimers and other limitations on Trustwave’s potential liability that
Trustwave will rely on in its defense.

We will continue to follow developments in this suit, which—regardless of
its outcome—will no doubt set new precedents for the reach of data breach
liability.  Though for the time being this suit is unique, there can be
little doubt that more like it will follow as data breaches become
increasingly common and managing their fallout becomes an increasingly
larger burden for organizations large and small.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.