Tuesday, 26 January 2016
Lawsuit Could Impact Third-Party Cybersecurity Providers
A recently announced lawsuit in the US could affect how third-party cyber security providers go about their business. The lawsuit, filed by a Nevada-based gaming company, seeks damages against a cyber security firm whose work was found to be “woefully inadequate” by a secondary investigation months after the original work was done.
Various media reports say that Trustwave was hired by Affinity Gaming to investigate and mitigate a known data breach that the company believed could have exposed as many as 300,000 customers. Trustwave was enlisted to take care of things as quickly as possible in order to protect customer data. The original problem Trustwave was hired to deal with dates back to 2013; the secondary investigation did not take place until 2014.
The Affinity Gaming lawsuit alleges that, at the time of the original 2013 problem, Trustwave asserted that its management of the security breach resulted in complete containment. Affinity Gaming took them at their word and went on their way. However, they were forced to hire Ernst & Young in 2014 to conduct penetration testing in response to new regulations enacted by the Missouri Gaming Commission. That testing showed that the security problems Trustwave said had been mitigated were still active.
Affinity Gaming then hired Mandiant to audit the previous Trustwave work. That is from where the accusations of inadequacy arose. Mandiant investigators insist that Trustwave did not mitigate the issue they were contracted to handle and that the work they did provide was insufficient to the requirement at hand. Officials from Trustwave vehemently deny the allegations.
There is no way to say who is right and wrong without more detailed knowledge of the situation but it is noteworthy to take a look at the potential effects of this lawsuit. To begin with, let us assume that Trustwave did do everything within its power to contain the data breach at Affinity Gaming. Let's also assume they followed all the proper procedures and protocols, and then let us assume that they sincerely believed they had met their obligations when they reported the security issues closed.
In the era of virtualisation and ever-more complex data centre and collocation facilities, the instances of security breaches are growing exponentially. This is neither random nor unexpected. The more complex you make a system, the more vulnerable that system is to breach. We cannot expect to expand the capabilities of the digital age without also expecting increased security threats.
A successful lawsuit might be just what the industry needs in this case. But it may not be if it is determined that Trustwave did everything right. In such a case, the lawsuit could serve as motivation for third-party cybersecurity providers to be overly cautious and conservative in their approach so as to not face litigation from an unhappy customer.
Again, there is no way for us to know what the outcome of this case should be. We will have to leave it to the courts.