<div dir="ltr"><span style="color:rgb(0,0,255)"></span><a href="http://www.jdsupra.com/legalnews/trustwave-case-highlights-cyber-risk-to-99539/">http://www.jdsupra.com/legalnews/trustwave-case-highlights-cyber-risk-to-99539/</a><br><p>
In a case that we believe reflects a real future trend in the
cyber-risk industry, Las Vegas casino operator Affinity Gaming
(“Affinity”) is suing Chicago-based IT security firm Trustwave Holdings,
Inc. (“Trustwave”) for breach of contract, negligence, and fraud based
on Trustwave’s alleged failure to fully eliminate malware from
Affinity’s computer systems.</p>
<p>
According to the complaint, Affinity first discovered in early October
2013 that hackers had compromised its network security and stolen
customer credit card information. After notifying its cyber insurer of
the breach, Affinity Gaming was referred to Trustwave for “professional
forensic data security investigator” (PFI) services. The parties
executed an Incident Response Agreement outlining the scope of
Trustwave’s services.</p>
<p>
After an investigation at Affinity’s offices, Trustwave produced a PFI
report stating that it had identified, contained, and removed the
malware responsible for the breach. Trustwave reported that the hackers
responsible for the breach had likely removed the malware themselves
sometime in mid October after being detected.</p>
<p>
In April 2014, Affinity retained Ernst & Young to perform
penetration testing on its systems in compliance with new gaming
regulations. The test allegedly revealed that the malware previously
identified by Trustwave had, in fact, not been completely contained and
removed as reported. Consequently, Affinity Gaming hired another data
security firm Mandiant, a direct competitor to Trustwave, to perform a
second investigation.</p>
<p>
According to Affinity, Mandiant’s review allegedly revealed that
Trustwave’s prior investigation failed to identify the original
malware’s remote access point and two other related malware programs and
that hackers had continued to compromise Affinity’s systems during
Trustwave’s remediation efforts.</p>
<p>
In addition to the fees it paid to Trustwave, Affinity seeks to recover
from Trustwave the costs of Mandiant’s services, legal expenses
associated with its defense of multiple investigations, and fees paid to
financial institutions related to the re-issuance of compromised credit
cards.</p>
<p>
On February 29, 2016, Trustwave filed a motion to dismiss Affinity
Gaming’s complaint for failure to state a claim. Trustwave argues, among
other things, that the Incident Response Agreement demonstrates that
Trustwave only “agreed to investigate certain specific cardholder data
components of Affinity’s network; not Affinity’s entire network.”</p>
<p>
Trustwave argues that Affinity failed to plead its fraud-based claims
with the required specificity and that such claims are “nothing more
than dressed-up breach of contract claims.” Trustwave further contends
that Affinity Gaming’s tort claims are barred by the economic loss
doctrine, and that its declaratory judgment claim is “wholly
duplicative” of its other causes of action.</p>
<p>
Affinity filed a response to Trustwave’s motion on April 4, 2016
arguing that its constructive and equitable fraud claims establish a
special relationship with Trustwave, “in light of Trustwave’s
specialized knowledge and skills and Affinity’s unique vulnerability to
and reliance on Trustwave’s superior position.” Affinity refutes that
any of its claims are barred by the economic loss doctrine because they
“target both Trustwave’s contractual misrepresentations”—meaning
misrepresentations made in the Incident Response Agreement itself—“as
well as Trustwave’s breaches of duties independent of its contractual
duties.”</p>
<p>
According to the Court docket, Trustwave has until April 19, 2016 to
reply. It is still too early to tell which side will prevail, though
Trustwave does have the benefit of strong contractual language executed
by “sophisticated business entities,” and will likely emphasize this in
its reply brief.</p>
<p>
The Trustwave case has captured the attention of the entire cyber-risk
industry because it portends to be an indication of a coming trend in
the theories of liability associated with cyber-risk. It puts
professional technology services providers and IT firms on notice that
they are also held to a standard of care that if deviated from has the
potential to cause third party damages.</p>
<p>
Technology service providers and IT firms should always discuss risk
with their own counsel to receive comprehensive legal advice and
maintain privilege. In doing so, service providers should reevaluate the
strength and scope of their own engagement agreements, subcontracts,
and the sufficiency of performance standards of professional operations.
They should also seek appropriate insurance coverage including
cyber-insurance to further mitigate their risk.</p></div>