LAS VEGAS (Legal Newsline) - The cybersecurity industry is closely following a first-of-its-kind lawsuit filed against Trustwave over allegations that the forensic investigating company botched its response to a data breach.
“This is a case that the industry is watching because it is not common,” Nicholas A. Oldham, a member of King & Spalding’s Data, Privacy and Security practice group in Washington D.C., told Legal Newsline recently.
Nevada casino owner Affinity Gaming filed suit against Trustwave in federal court in December, alleging that the company failed to contain and remediate a data breach at Affinity Gaming.
The complaint said that Affinity Gaming received reports of credit card fraud from customers and law enforcement in late October 2013. Affinity Gaming’s IT department concluded that company data systems with cardholder information may have been compromised.
Affinity hired Trustwave, which agreed to identify the cause of the breach, remediate any issues and facilitate implementation of measures to help prevent future breaches. But when Affinity later had more breaches, it hired another cybersecurity company to see what went wrong, Mark H. Francis, privacy and cybersecurity attorney with the King & Spalding law firm in New York, recently wrote in a Client Alert notice.
Affinity Gaming retained another company, Mandiant, to conduct a more thorough forensic investigation, and Mandiant found that the breach identified in October 2013 had not been fully contained or remediated, specifically finding that hackers still had “backdoor” access to Affinity Gaming’s data systems, Francis wrote.
Based on Mandiant’s findings, Affinity Gaming alleges that Trustwave’s “misrepresentations, omissions, and failures” resulted in significant monetary damages. The complaint asserts various state claims for fraud, negligence and breach of contract.
Trustwave has not yet responded to the complaint, but the case has already attracted attention in the cybersecurity industry.
“Forensic examiners are kind of like the (Centers for Disease Control), moving quickly but methodically to get ahead of a fast-spreading outbreak and deconstruct it at the same time,” Oldham said.
“The Trustwave lawsuit is important because of the concern that it might cause companies to micro-manage or second-guess their hired forensic guns, actually making it harder to act effectively and make decisions during a breach response.”
Many clients rely on third-party forensic firms to advise them on the cause and impact of an incident so they can respond to regulatory inquiries, he said. Anything that potentially undermines the accuracy of a forensic investigation could cause regulators to second-guess a company’s representations.
“In short, if companies start shooting the messenger, that might have an unintended consequence of making it more difficult for them to pass regulatory scrutiny down the road,” Oldham said.
“This litigation may provide an important case study on communications and decisions by different stakeholders during a fast-paced and high-pressure breach response.”
In his Client Alert memo, Francis said that the case also may shed some light on the precise role served by companies hired to investigate a data breach, as well as the impact of particular provisions in agreements.
While it may be impossible for cybersecurity services to provide guarantees when combatting criminal hacking, the court may attempt to ascertain the point at which a failure to detect or remediate a cybersecurity issue could constitute negligence or fraud by a cybersecurity services provider, Francis wrote.
Such a decision could have major ramifications for the cybersecurity industry, and it may be a valuable case study on best practices when responding to a cyber attack incident.
“During the fast-paced, high-pressure and costly response to a significant data breach, effective interaction between internal and external responders is crucial, and misunderstandings, lack of communication and poor decisions will exacerbate a company’s business and legal exposure,” Francis wrote.