BreachExchange mailing list archives
Responsibility Shifting for Cyber Attacks?
From: audrey () riskbasedsecurity com (Audrey McNeil)
Date: Tue, 23 Feb 2016 18:53:24 -0700
http://www.jdsupra.com/legalnews/responsibility-shifting-for-cyber-66950/ When a companyâs protected data is compromised, potential litigants generally look to the company itself as the target for damages claims. The list of recent cases filed against the company suffering the data breach is long and, by now, familiar. In addition to potential damages claims, the breached company also must sustain the cost of remediation and attorneysâ fees, both in regard to its âfirst partyâ costs and with regard to third party claims. In very large breaches, itâs not uncommon for the companyâs cost to far outstrip its insurance coverage, even if it has very good coverage. Historically, the breached entity has had nowhere else to look to try to further defray its costs. This dynamic is potentially changing, however. In a recently filed case in the United States District Court for the District of Nevada, Affinity Gaming has brought suit against its previous cybersecurity consulting firm, Trustwave, alleging that Trustwave failed to contain a data breach Affinity hired Trustwave to remediate. Affinity alleges that, in 2014, it was the victim of a breach that compromised the sensitive financial information of more than 300,000 customers. Affinity hired Trustwave to investigate, diagnose, and remedy this data breach. Trustwave subsequently concluded its investigation, allegedly represented to Affinity that its data breach was contained, and purportedly provided recommendations to âfend off future attacks.â Affinity alleges, however, that Trustwaveâs representations were false. After the engagement with Trustwave concluded, Affinity discovered that it was suffering an ongoing data breach, which it alleges was still part of the first breach, causing it to retain a second data security firm, Mandiant. According to Affinityâs Complaint, Mandiantâs subsequent investigation revealed that Trustwaveâs representations were untrue and its previous work âwoefully inadequate.â Affinity alleges that Mandiantâs investigation also revealed that Trustwave examined only a small subset of Affinityâs data systems and failed to identify the means by which the attacker breached Affinityâs data security. While the allegations of fraud, breach of contract, and gross negligence in this lawsuit are substantial, the most interesting aspect of the case is whether it portends a future trend. The extension of this sort of âprofessional liabilityâ to cybersecurity firms will be critical to monitor â both for businesses and for security professionals alike. And, depending on the result of the Affinity Gaming case, the landscape of the cybersecurity industry might be shifting in a major way. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160223/e6e75774/attachment-0001.html>
Current thread:
- Responsibility Shifting for Cyber Attacks? Audrey McNeil (Feb 23)