- Privacy Risk Report - https://privacyriskreport.com -

Casino’s Lawsuit Shows High Stakes for Breach Response

In January 2016, Affinity Gaming (Affinity), the owner of several casinos, filed a complaint in the District Court of Nevada [1] against Trustwave Holdings, Inc. (Trustwave), a data security investigator, for Trustwave’s work in securing data after Affinity suffered a data breach.

Affinity’s Complaint contained allegations that after learning of the breach involving the use of stolen credit cards, Affinity contacted its cyber insurer, ACE, and was provided a list of data security investigators. Affinity contacted Trustwave, one of the firms on the list, to investigate and remedy the data breach. Affinity’s Complaint further alleged that after investigating the breach, Trustwave “represented to Affinity that the data breach was ‘contained’ and purported to provide recommendations for Affinity to implement that would help fend off future data attacks.” However, after Trustwave completed its work, Affinity learned that it suffered an ongoing breach and hired a second data security consulting firm, Mandiant.

Trustwave filed a Motion to Dismiss [2] Affinity’s Complaint, arguing that it “agreed to investigate certain specific cardholder data components of Affinity’s network; not Affinity’s entire network.” Regardless of whether the allegations against Trustwave are proven, this case provides further evidence that not hiring a breach response team isn’t worth the gamble.

On September 30, 2016, the District Court  of Nevada dismissed in part and granted in part Trustwave’s Motion to Dismiss. The District Court’s Order [3] provided the following reasoning for allowing Affinity to continue to pursue its claims for breach of contract, fraud and deceptive trade practices:

Motion to Dismiss Denied

Motion to Dismiss Granted

This litigation demonstrates the high stakes involved in responding to a data breach even for highly-sophisticated companies with a developed expertise in data security. That is, if Affinity is able to support its allegations against Trustwave, the scenario of hackers outmaneuvering the “good guys” would exist. Therefore, it is easy to see how the cards are stacked against those companies whose breach response team doesn’t include the expertise of a data consulting firm or other such professionals.