Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cybersecurity vendor liability breaks new ground

Security vendor liability is being brought into the spotlight by various lawsuits, including Affinity Gaming's suit against Trustwave. Here's why what's happening is so important.

Affinity Gaming, an operator of casinos located in Nevada, Colorado, Missouri and Iowa, experienced the unthinkable...

in October 2013. The company received a report from law enforcement that customers' credit cards had been compromised, and Affinity was the suspected source of the breach. Upon further investigation, Affinity's IT team realized they had a problem on their hands and did what many of us would do: They called in a professional cybersecurity incident response firm, Trustwave, to conduct a forensic investigation and remediation.

The situation that followed began as a normal incident investigation, similar to the thousands that take place across the nation each year. After a few twists and turns, the situation got ugly and evolved into a lawsuit that may break new ground for cybersecurity vendor liability.

What happened?

The complaint filed by Affinity Gaming against Trustwave in the United States District Court for Nevada laid out the sequence of events -- at least from Affinity Gaming's perspective. About a week after learning of the breach, Affinity signed an agreement with Trustwave to conduct a forensic investigation of the incident, and Trustwave arrived on site the next day, beginning a two-month investigation of the security incident. In January, Trustwave submitted a final report, noting that the incident had been fully contained, with malware removed.

Everything seemed to move along fine for a few months until April 2014, when Affinity hired Ernst & Young to perform a penetration test required by the Missouri Gaming Commission. During that testing, Ernst & Young uncovered suspicious activity that appeared to indicate an ongoing malware infection at Affinity.

Affinity then hired a third firm, Mandiant, to conduct a second forensic investigation based upon the Ernst & Young results. According to Affinity's complaint, "Mandiant determined that Trustwave had failed to identify the entire extent of the breach." Affinity then filed a lawsuit against Trustwave, alleging fraud and gross negligence, among other complaints. The suit seeks damages, "which exceed $100,000." As of this writing in February 2016, the case is still pending in the U.S. District Court.

What's next for vendor liability?

The cybersecurity industry is keeping a close eye on this case, as the outcome may affect the nature of vendor relationships for years to come. It's important to remember that the media reports on this incident are all based on Affinity Gaming's complaint, and Trustwave's side of the story has not yet been released. It's also unknown what language about vendor liability exists in the contract between Trustwave and Affinity. It's hard to imagine that Trustwave didn't include language that strictly limits its liability.

While Affinity may not prevail in its lawsuit, the conversation around vendor liability is certain to provoke changes in attitudes around the cybersecurity industry. The Affinity lawsuit is a shot across the bow of consultants, who must now grapple with the potential that a client may sue them for failure to successfully complete an engagement. One would hope this results in greater attention to detail in the completion of security engagements, but a cynic might point out that it is just as likely to lead to consulting agreements with additional language limiting vendor liability.

Next Steps

Find out what kind of data breach notification policy your enterprise should follow

Learn how to choose the best security vulnerability assessment tools

Decide if a data breach warranty is worth the investment

This was last published in March 2016

Dig Deeper on Information security laws, investigations and ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Tough call, complex issue. Of course everyone who touched this is responsible for one error or another, to one degree or another. But how culpable does that make them financially? I'd best leave that for the lawyers to figure out, but I would think everyone shares some responsibility for cyber security. This isn't YOUR problem or MY problem; it's far bigger than that. The entire industry is responsible for getting this right. Quickly.

Maybe if every single person all along the line, from top to bottom, had to pay for the entire cost of security breaches we'd be much quicker in finding a solution.
Cancel
Do you think Trustwave is at fault in this situation? Why or why not?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close