[BreachExchange] Trustwave Case Highlights Cyber-Risk to Professional Service Providers

Inga Goddijn inga at riskbasedsecurity.com
Wed Apr 6 16:40:45 EDT 2016


http://www.jdsupra.com/legalnews/trustwave-case-highlights-cyber-risk-to-99539/

In a case that we believe reflects a real future trend in the cyber-risk
industry, Las Vegas casino operator Affinity Gaming (“Affinity”) is suing
Chicago-based IT security firm Trustwave Holdings, Inc. (“Trustwave”) for
breach of contract, negligence, and fraud based on Trustwave’s alleged
failure to fully eliminate malware from Affinity’s computer systems.

According to the complaint, Affinity first discovered in early October 2013
that hackers had compromised its network security and stolen customer
credit card information. After notifying its cyber insurer of the breach,
Affinity Gaming was referred to Trustwave for “professional forensic data
security investigator” (PFI) services.  The parties executed an Incident
Response Agreement outlining the scope of Trustwave’s services.

After an investigation at Affinity’s offices, Trustwave produced a PFI
report stating that it had identified, contained, and removed the malware
responsible for the breach. Trustwave reported that the hackers responsible
for the breach had likely removed the malware themselves sometime in mid
October after being detected.

In April 2014, Affinity retained Ernst & Young to perform penetration
testing on its systems in compliance with new gaming regulations. The test
allegedly revealed that the malware previously identified by Trustwave had,
in fact, not been completely contained and removed as reported.
Consequently, Affinity Gaming hired another data security firm Mandiant, a
direct competitor to Trustwave, to perform a second investigation.

According to Affinity, Mandiant’s review allegedly revealed that
Trustwave’s prior investigation failed to identify the original malware’s
remote access point and two other related malware programs and that hackers
had continued to compromise Affinity’s systems during Trustwave’s
remediation efforts.

In addition to the fees it paid to Trustwave, Affinity seeks to recover
from Trustwave the costs of Mandiant’s services, legal expenses associated
with its defense of multiple investigations, and fees paid to financial
institutions related to the re-issuance of compromised credit cards.

On February 29, 2016, Trustwave filed a motion to dismiss Affinity Gaming’s
complaint for failure to state a claim. Trustwave argues, among other
things, that the Incident Response Agreement demonstrates that Trustwave
only “agreed to investigate certain specific cardholder data components of
Affinity’s network; not Affinity’s entire network.”

Trustwave argues that Affinity failed to plead its fraud-based claims with
the required specificity and that such claims are “nothing more than
dressed-up breach of contract claims.” Trustwave further contends that
Affinity Gaming’s tort claims are barred by the economic loss doctrine, and
that its declaratory judgment claim is “wholly duplicative” of its other
causes of action.

Affinity filed a response to Trustwave’s motion on April 4, 2016 arguing
that its constructive and equitable fraud claims establish a special
relationship with Trustwave, “in light of Trustwave’s specialized knowledge
and skills and Affinity’s unique vulnerability to and reliance on
Trustwave’s superior position.” Affinity refutes that any of its claims are
barred by the economic loss doctrine because they “target both Trustwave’s
contractual misrepresentations”—meaning misrepresentations made in the
Incident Response Agreement itself—“as well as Trustwave’s breaches of
duties independent of its contractual duties.”

According to the Court docket, Trustwave has until April 19, 2016 to reply.
It is still too early to tell which side will prevail, though Trustwave
does have the benefit of strong contractual language executed by
“sophisticated business entities,” and will likely emphasize this in its
reply brief.

The Trustwave case has captured the attention of the entire cyber-risk
industry because it portends to be an indication of a coming trend in the
theories of liability associated with cyber-risk. It puts professional
technology services providers and IT firms on notice that they are also
held to a standard of care that if deviated from has the potential to cause
third party damages.

Technology service providers and IT firms should always discuss risk with
their own counsel to receive comprehensive legal advice and maintain
privilege. In doing so, service providers should reevaluate the strength
and scope of their own engagement agreements, subcontracts, and the
sufficiency of performance standards of professional operations.  They
should also seek appropriate insurance coverage including cyber-insurance
to further mitigate their risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160406/48d1ce98/attachment.html>


More information about the BreachExchange mailing list