In January 2016, Affinity Gaming (Affinity), the owner of several casinos, filed a complaint in the District Court of Nevada against Trustwave Holdings, Inc. (Trustwave), a data security investigator, for Trustwave’s work in securing data after Affinity suffered a data breach.

Affinity’s Complaint contained allegations that after learning of the breach involving the use of stolen credit cards, Affinity contacted its cyber insurer, ACE, and was provided a list of data security investigators. Affinity contacted Trustwave, one of the firms on the list, to investigate and remedy the data breach. Affinity’s Complaint further alleged that after investigating the breach, Trustwave “represented to Affinity that the data breach was ‘contained’ and purported to provide recommendations for Affinity to implement that would help fend off future data attacks.” However, after Trustwave completed its work, Affinity learned that it suffered an ongoing breach and hired a second data security consulting firm, Mandiant.

Trustwave filed a Motion to Dismiss Affinity’s Complaint, arguing that it “agreed to investigate certain specific cardholder data components of Affinity’s network; not Affinity’s entire network.” Regardless of whether the allegations against Trustwave are proven, this case provides further evidence that not hiring a breach response team isn’t worth the gamble.

On September 30, 2016, the District Court  of Nevada dismissed in part and granted in part Trustwave’s Motion to Dismiss. The District Court’s Order provided the following reasoning for allowing Affinity to continue to pursue its claims for breach of contract, fraud and deceptive trade practices:

Motion to Dismiss Denied

  • Breach of Contract: Regardless of whether Delaware or Nevada law is applied, the District Court held Affinity sufficiently alleged a breach of contract claim. In particular, the court found Affinity alleged that Trustwave breached its contract by failing to “perform a forensic investigation to identify, and remedy or contain, the causes of [Plaintiff’s] data breach, and to issue recommendations for measures [Plaintiff] would undertake to prevent further breaches in the future.”
  • Fraud Counts: The District Court examined Affinity’s tort claims in the context of the economic loss doctrine, which “allows a party to recover in tort only if losses are accompanied by bodily harm or property damage; in other words, the doctrine prevents plaintiffs from recovering in tort for losses suffered that are solely economic in nature.” First, the court held Affinity had sufficiently pled its fraudulent inducement claim. Next, it found Affinity’s allegations that Trustwave “misrepresented its ‘capabilities and experience as a data security service provider,’ ‘that it had undertaken a proper investigation,’ that the breach had been secured, and that its recommendations ‘would help to prevent…further data breaches from occurring.’” Further, Affinity alleged these representations were untrue and it relied on these representations which, in turn, provided sufficient support for this cause of action.
  • Deceptive Trade Practices: Affinity pled a claim under Nevada’s Deceptive Trade Practices Act, which prohibits a seller from making false statements or misrepresentations about his or her goods or services, or failing to disclose material facts about his or her goods or services. Here, Affinity alleged that Trustwave “engaged in deceptive trade practices by falsely representing that [Trustwave] had the capabilities to perform the obligations under the Agreement, that [Truswave] undertook a proper investigation to determine the cause of the data breach, that the data breach was “contained” and the backdoor was “inert,” when it was not, and that [Trustwave’s] recommendations would prevent further data breaches.” The District Court was not prepared to dismiss this claim because it could still be viable if the court found the contract between the parties was invalid.

Motion to Dismiss Granted

  • Breach of Implied Duty of Good Faith and Fair Dealing: The District Court opined that to successfully plead a breach of an implied covenant of good faith and fair dealing, “a plaintiff must allege ‘a specific implied contractual obligation, a breach of that obligation by the defendant, and resulting damage to the plaintiff.’” The court also held Affinity’s cause of action should be dismissed because it failed to allege facts demonstrating a specific implied contractual obligation as required under controlling law.
  • Gross Negligence: Affinity claimed Trustwave owed it a “duty of care in performing its data security services, and in providing information that was truthful and accurate regarding Trustwave’s investigation, the causes of Affinity’s data breach, and the remediation or containment of that breach.” Under controlling law, Affinity was required to establish that Trustwave failed “to exercise even the slightest degree of care” in its conduct. The court granted Trustwave’s motion because Affinity’s complaint failed to allege Trustwave breached any duty independent of its contractual duties.
  • Negligent Representation: Affinity claims that Trustwave misrepresented its capabilities to protect against a breach. The District Court found this claim should be dismissed to the extent the complaint failed to allege that Trustwave’s alleged misrepresentation was made in the course of Trustwave’s business or “or that these representations were ‘for the guidance of others in their business transactions.’”

This litigation demonstrates the high stakes involved in responding to a data breach even for highly-sophisticated companies with a developed expertise in data security. That is, if Affinity is able to support its allegations against Trustwave, the scenario of hackers outmaneuvering the “good guys” would exist. Therefore, it is easy to see how the cards are stacked against those companies whose breach response team doesn’t include the expertise of a data consulting firm or other such professionals.