This article was originally published in Advisen’s Front Page News on January 20, 2016.

A recently filed lawsuit by a casino will place a spotlight on the services provided by data security investigators and the expectations of those looking to secure data.

On October 24, 2013, Affinity Gaming, the owner of several casinos, learned it suffered a data breach involving the fraudulent use of stolen credit card information. After learning of the breach, Affinity contacted its cyber insurer, ACE, and was provided a list of data security investigators. Affinity contacted one of the firms on the list, Trustwave Holdings, Inc., to investigate and remedy the data breach.

After investigating the breach, Affinity alleges that Trustwave “represented to Affinity Gaming that the data breach was ‘contained’ and purported to provide recommendations for Affinity Gaming to implement that would help fend off future data attacks.” However, after Trustwave completed its work, Affinity learned that it suffered an ongoing breach and hired a second data security consulting firm, Mandiant.

After Mandiant completed its investigation, Affinity alleged the following concerning Trustwave’s work:

Mandiant’s forthright and thorough investigation concluded that Trustwave’s representations were untrue, and Trustwave’s prior work was woefully inadequate. In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was “contained,” and when it claimed that the recommendations it was offering would address the data breach. Trustwave knew (or recklessly disregarded) that it was going to, and did, examine only a small subset of Affinity Gaming’s data systems, and had failed to identify the means by which the attacker had breached Affinity Gaming’s data security. Thus, Trustwave could not in good faith have made the foregoing representations to Affinity Gaming.

Mandiant stated it found two malware programs not identified by Trustwave that gathered information before, during and after Trustwave’s engagement with Affinity. The report also found Trustwave’s recommendations to improve Affinity’s data security “were pointless” because “none addressed the source of the data breach, and none would have prevented the attacker from again accessing Affinity Gaming’s data systems (for instance, through the backdoors that Trustwave failed to find and close).”

In its complaint, Affinity claims Trustwave caused it significant damages including costs for Mandiant to investigate Affinity’s data security issues after Trustwave’s investigation. Affinity also claims it had to pay costs to credit card companies to replace stolen cards as well as information and costs related to provide notification of a second breach at its casinos.

Based on these allegations, Affinity’s complaint asserts the following causes of action:

  • Fraudulent Inducement: Affinity claims Trustwave made certain misrepresentations and omissions of material information “with the intent to induce Affinity Gaming to enter into a contract with Trustwave.”
  • Fraud: Affinity claims Trustwave misrepresented it was capable of diagnosing Affinity’s security issues and that it could contain any breach at Affinity. The complaint alleges that Trustwave falsely represented that it had contained the malware and fixed the security problems.
  • Constructive/Equitable Fraud: Affinity claims Trustwave had a special relationship with Affinity to the extent Trustwave indicated it had specialized knowledge concerning data security.

In addition to the fraud counts, Affinity also claims Trustwave acted with gross negligence in providing recommendations to fix Affinity’s issues and future security concerns. The complaint also contains causes of action for a violation of NRS 598 (Fraud), negligent misrepresentation and breach of contract. Finally, in addition to monetary damages, the complaint seeks punitive damages against Trustwave.

While it has not filed a response to Affinity’s allegations, reports indicate Trustwave denies any negligence on its part, and further states that “we dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.”

This litigation will place data investigators under the microscope where all parties involved will need to rely on highly-technical information to prove their cases. This litigation will undoubtedly make data investigators consider what services they are offering and how they provide those services. Likewise, it will make consumers of these services consider their expectations for these services.