Casino company Affinity Gaming is accusing a cybersecurity firm of failing to “adequately investigate and remedy a data breach.”
In a landmark case that could sound the alarm bells for other cybersecurity firms, Affinity Gaming has filed a lawsuit against Trustwave, claiming the company carried out a “woefully inadequate” investigation of a hack that led to a misleading report, which, in turn, opened a new avenue of liability around data breaches.
In its lawsuit, filed in the U.S. District Court in Nevada late last year, Affinity said it hired Chicago-based Trustwave in 2013 to check out a suspected cyber-attack on its payment cards system. Two months later, Trustwave told the Las Vegas company the breach was already “contained,” but Affinity claimed it later found out the company’s systems were still breached even after Trustwave’s investigation.
A separate investigation by data security firm Mandiant revealed the breach wasn’t contained, and that Affinity’s data was compromised despite Trustwave’s remediation efforts, according to court documents.
“While Trustwave had concluded that the last data breach activity occurred in October 2013, Mandiant’s investigation revealed that these persons/organizations again compromised Affinity Gaming’s data in December 2013, while Trustwave’s supposed investigation and remediation efforts were still ongoing,” Affinity Gaming said in its lawsuit.
The casino company said it suffered significant financial losses and was even checked out by U.S. gaming and consumer protection regulators due to Trustwave’s “grossly negligent performance.” Affinity Gaming is asking for more than US$99,294 (£70,000) in compensation and more than US$297,883 (£210,000) in punitive damages.
Joseph DeMarco, a lawyer who specializes in data privacy, told Financial Times he expects more similar cases as other breaches will be investigated, “sometimes in ways that the victim is not satisfied with.”
“This litigation demonstrates that as the law of data privacy and security continues its lightning-fast evolution, so does litigation in this area,” DeMarco noted, according to the news outlet.
A spokesperson for Trustwave told SCMagazine.com in an email that the company disagreed “with the allegations in the lawsuit, and we will defend ourselves vigorously in court.
Meanwhile, STEALTHbits Technologies channel marketing manager believes Affinity Gaming is not after the money, telling SCMagazine.com: “What better way to distract attention from the undisputed fact that you allowed malware to protect your network in the first place than to sue… the company you hired to mitigate the damage of the initial breach.”
