Casino Owner Sues Cybersecurity Services Provider, Alleging Botched Response to Data Breach – On December 24, 2015, Nevada casino owner Affinity Gaming filed suit against Trustwave in federal district court, alleging that Trustwave failed to contain and remediate a data breach at Affinity Gaming.
Card brands like Visa and MasterCard require companies that accept credit or debit cards to comply with the Payment Card Industry Data Security Standards (“PCI DSS”). In the event of a data breach involving credit or debit card information (“cardholder data”), such companies are usually compelled to retain a PCI Forensic Investigator (“PFI”) to investigate the cause and extent of the breach, and issue a report that is shared with the card brands.
According to the complaint, Affinity Gaming received reports of credit card fraud from customers and law enforcement in late October 2013, and Affinity Gaming’s IT department concluded that company data systems with cardholder data may have been compromised. Affinity Gaming retained Trustwave as its PFI based on a recommendation from its cyber insurer. According to Affinity Gaming, Trustwave conveyed that, as PFI, it would (i) identify the cause of the breach, (ii) remediate any issues, and (iii) facilitate implementation of measures to help prevent future breaches. Trustwave issued its PFI Report on January 13, 2014 and represented that the “compromise has been contained” and the breach terminated.
On April 16, 2014, Ernst & Young performed a penetration test of Affinity Gaming data systems and identified suspicious activity. Affinity Gaming retained Mandiant to conduct a more thorough forensic investigation, and Mandiant found that the breach identified in October 2013 had not been fully contained or remediated, specifically finding that hackers still had “backdoor” access to Affinity Gaming’s data systems. Based on Mandiant’s findings, Affinity Gaming alleges that Trustwave’s “misrepresentations, omissions, and failures” resulted in significant monetary damages. The complaint asserts various state claims for fraud, negligence and breach of contract.
Trustwave has not yet responded to the complaint, but the case has already attracted attention in the cybersecurity industry and is particularly noteworthy for a few reasons.
First, the case may shed some light on the precise role served by a PFI retained to investigate a data breach, as well as the impact of particular provisions in PFI engagement agreements. Card brands and the PCI organization tend to view the PFI’s role as identifying the cause and extent of a breach to assist card brands and banks in (i) determining whether the company was complying with PCI DSS at the time of the breach, and (ii) identifying which credit or debit cards were compromised. By contrast, companies retaining a PFI may expect more comprehensive services that include thorough remediation and guidance for preventing similar cyber-attacks in the future.
Second, while it may be impossible for cybersecurity services providers to provide guarantees when combatting criminal hacking, the court may attempt to ascertain the point at which a failure to detect or remediate a cybersecurity issue could constitute negligence or fraud by a cybersecurity services provider. Such a decision could have major ramifications for the cybersecurity industry.
Third, the facts giving rise to this lawsuit may provide a valuable case study on best practices when responding to an incident. During the fast-paced, high-pressure and costly response to a significant data breach, effective interaction between internal and external responders is crucial, and misunderstandings, lack of communication and poor decisions will exacerbate a company’s business and legal exposure.
The case is Affinity Gaming v. Trustwave Holdings Inc., 2:15-cv-02464-GMN-PAL (D. Nev.). The complaint is available here.
Reporter, Mark H. Francis, New York, +1 212 556 2117, mfrancis@kslaw.com.
