A recently announced
lawsuit in the US could affect how third-party cyber
security providers go about their business. The lawsuit, filed by a
Nevada-based gaming company, seeks damages against a cyber security firm whose
work was found to be “woefully inadequate” by a
secondary investigation months after the original work was done.
Various media reports say
that Trustwave was hired by Affinity Gaming to investigate and mitigate a known
data breach that the company believed could have exposed as many as 300,000
customers. Trustwave was enlisted to take care of things as quickly as possible
in order to protect customer data. The
original problem Trustwave was hired to deal with dates back to 2013; the secondary investigation did not take place
until 2014.
New Regulations Force Secondary Investigation
The Affinity Gaming
lawsuit alleges that, at the time of the original 2013 problem, Trustwave
asserted that its management of the security breach resulted in complete
containment. Affinity Gaming took them at their word and went on their way.
However, they were forced to hire Ernst & Young in 2014 to conduct
penetration testing in response to new regulations enacted by the Missouri
Gaming Commission. That testing showed that the security problems Trustwave
said had been mitigated were still
active.
Affinity Gaming then
hired Mandiant to audit the previous Trustwave work. That is from where the accusations of inadequacy arose. Mandiant investigators insist that
Trustwave did not mitigate the issue they were contracted to handle and that the work they did provide was insufficient to the requirement at hand.
Officials from Trustwave vehemently deny the allegations.
What It Could Mean
There is no way to say
who is right and wrong without more detailed knowledge of the situation but it
is noteworthy to take a look at the potential effects of this lawsuit. To begin
with, let us assume that Trustwave did do everything within its power to
contain the data breach at Affinity Gaming. Let's also assume they followed all
the proper procedures and protocols, and
then let us assume that they sincerely
believed they had met their obligations when they reported the security issues
closed.
In the era of
virtualisation and ever-more complex data
centre and collocation facilities, the instances of security breaches are
growing exponentially. This is neither
random nor unexpected. The more complex you make a system, the more vulnerable
that system is to breach. We cannot expect to expand the capabilities of the
digital age without also expecting increased security threats.
A successful lawsuit
might be just what the industry needs in this case. But it may not be if it is
determined that Trustwave did everything right. In such a case, the lawsuit could serve as motivation for
third-party cybersecurity providers to be
overly cautious and conservative in their approach so as to not face litigation
from an unhappy customer.
Again, there is no way
for us to know what the outcome of this case should be. We will have to leave
it to the courts.