[BreachExchange] Responsibility Shifting for Cyber Attacks?

[Audrey McNeil]

http://www.jdsupra.com/legalnews/responsibility-shifting-for-cyber-66950/

When a company’s protected data is compromised, potential litigants
generally look to the company itself as the target for damages claims. The
list of recent cases filed against the company suffering the data breach is
long and, by now, familiar. In addition to potential damages claims, the
breached company also must sustain the cost of remediation and attorneys’
fees, both in regard to its “first party” costs and with regard to third
party claims. In very large breaches, it’s not uncommon for the company’s
cost to far outstrip its insurance coverage, even if it has very good
coverage. Historically, the breached entity has had nowhere else to look to
try to further defray its costs.

This dynamic is potentially changing, however. In a recently filed case in
the United States District Court for the District of Nevada, Affinity
Gaming has brought suit against its previous cybersecurity consulting firm,
Trustwave, alleging that Trustwave failed to contain a data breach Affinity
hired Trustwave to remediate. Affinity alleges that, in 2014, it was the
victim of a breach that compromised the sensitive financial information of
more than 300,000 customers. Affinity hired Trustwave to investigate,
diagnose, and remedy this data breach. Trustwave subsequently concluded its
investigation, allegedly represented to Affinity that its data breach was
contained, and purportedly provided recommendations to “fend off future
attacks.”

Affinity alleges, however, that Trustwave’s representations were false.
After the engagement with Trustwave concluded, Affinity discovered that it
was suffering an ongoing data breach, which it alleges was still part of
the first breach, causing it to retain a second data security firm,
Mandiant. According to Affinity’s Complaint, Mandiant’s subsequent
investigation revealed that Trustwave’s representations were untrue and its
previous work “woefully inadequate.” Affinity alleges that Mandiant’s
investigation also revealed that Trustwave examined only a small subset of
Affinity’s data systems and failed to identify the means by which the
attacker breached Affinity’s data security.

While the allegations of fraud, breach of contract, and gross negligence in
this lawsuit are substantial, the most interesting aspect of the case is
whether it portends a future trend. The extension of this sort of
“professional liability” to cybersecurity firms will be critical to monitor
– both for businesses and for security professionals alike. And, depending
on the result of the Affinity Gaming case, the landscape of the
cybersecurity industry might be shifting in a major way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160223/e6e75774/attachment-0001.html>