In a landmark case, Affinity Gaming is seeking $100,000 in damages from its cybersecurity provider Trustwave over how the company allegedly handled a data security breach which cost the casino operator $1.2 million.
If successful, this legal action in the US may have implications here in Britain, with the potential to make cyber security professionals operating under US law fully accountable to their clients. We at SRM have no issue with this. All cybersecurity professionals should welcome scrutiny and we would certainly be happy for any potential clients to review our track record in the investigation and containment of data security breaches. As an industry it is important that we are vigilant at all times and companies operating in this field should maintain a forensic and meticulous approach throughout any investigation.
The lawsuit has been filed in the US District Court in Nevada, the base and headquarters of Affinity. As reported in The Financial Times, Trustwave was engaged by Affinity to investigate and contain a data breach which exposed the data up to 300,000 of its customers.
Affinity claims that, while Trustwave was investigating the initial data breach, a second cyberattack took place. They allege that the security company missed this additional attack, declaring at the time that the threat had been contained. And although Affinity had a $5 million cyberinsurance policy in place, they spent $1.2 million on dealing with the breaches. The company is seeking $100,000 in damages from Trustwave.
The landmark lawsuit opens up fresh avenues of liability when it comes to cybersecurity, cyberattacks and data breaches. Until now when cybersecurity specialist companies have been brought in following a data breach, the companies which engaged them would usually take all necessary steps to appease customers but would also take the financial hit and the loss of reputation that resulted. There has not been, until now, a case where a cybersecurity specialist was embroiled in a legal battle as to how they had handled and contained a security issue.
Affinity says that it “takes seriously its data security obligations” and had regarded finding a specialist with data breach response expertise to be of “paramount importance.” Trustwave has an international presence with offices in Chicago, San Paulo, London and Sydney. However, Affinity is said to have been disappointed with the firm’s performance.
Soon after Trustwave had finished its investigation into the data breach in 2013, claiming that it had been contained, Affinity discovered that its data systems were still compromised. They hired a second cybersecurity consultancy to perform penetration testing at which point further suspicious activity was identified in the form of a malware program called “Framepkg.exe,” which, it is claimed, Trustwave had found but not contained, or sought to remediate, during its investigation.
Trustwave denies any negligence on its part and a spokesperson said: “we dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.” We await the verdict of the court with interest.