igor - Fotolia
Affinity Gaming, an operator of casinos located in Nevada, Colorado, Missouri and Iowa, experienced the unthinkable in October 2013. The company received a report from law enforcement that customers' credit cards had been compromised, and Affinity was the suspected source of the breach. Upon further investigation, Affinity's IT team realized they had a problem on their hands and did what many of us would do: They called in a professional cybersecurity incident response firm, Trustwave, to conduct a forensic investigation and remediation.
The situation that followed began as a normal incident investigation, similar to the thousands that take place across the nation each year. After a few twists and turns, the situation got ugly and evolved into a lawsuit that may break new ground for cybersecurity vendor liability.
The complaint filed by Affinity Gaming against Trustwave in the United States District Court for Nevada laid out the sequence of events -- at least from Affinity Gaming's perspective. About a week after learning of the breach, Affinity signed an agreement with Trustwave to conduct a forensic investigation of the incident, and Trustwave arrived on site the next day, beginning a two-month investigation of the security incident. In January, Trustwave submitted a final report, noting that the incident had been fully contained, with malware removed.
Everything seemed to move along fine for a few months until April 2014, when Affinity hired Ernst & Young to perform a penetration test required by the Missouri Gaming Commission. During that testing, Ernst & Young uncovered suspicious activity that appeared to indicate an ongoing malware infection at Affinity.
Affinity then hired a third firm, Mandiant, to conduct a second forensic investigation based upon the Ernst & Young results. According to Affinity's complaint, "Mandiant determined that Trustwave had failed to identify the entire extent of the breach." Affinity then filed a lawsuit against Trustwave, alleging fraud and gross negligence, among other complaints. The suit seeks damages, "which exceed $100,000." As of this writing in February 2016, the case is still pending in the U.S. District Court.
What's next for vendor liability?
The cybersecurity industry is keeping a close eye on this case, as the outcome may affect the nature of vendor relationships for years to come. It's important to remember that the media reports on this incident are all based on Affinity Gaming's complaint, and Trustwave's side of the story has not yet been released. It's also unknown what language about vendor liability exists in the contract between Trustwave and Affinity. It's hard to imagine that Trustwave didn't include language that strictly limits its liability.
While Affinity may not prevail in its lawsuit, the conversation around vendor liability is certain to provoke changes in attitudes around the cybersecurity industry. The Affinity lawsuit is a shot across the bow of consultants, who must now grapple with the potential that a client may sue them for failure to successfully complete an engagement. One would hope this results in greater attention to detail in the completion of security engagements, but a cynic might point out that it is just as likely to lead to consulting agreements with additional language limiting vendor liability.
Find out what kind of data breach notification policy your enterprise should follow
Learn how to choose the best security vulnerability assessment tools
Decide if a data breach warranty is worth the investment