Cybersecurity Companies Be Found Liable for Healthcare Data Breaches

When a cybersecurity company is contracted to investigate a data breach, that company is expected to conduct a thorough investigation, ensure the breach is contained, and make sure backdoors are found and removed. However, what happens if a security company fails to deliver on its promise?

Cybersecurity Firm Sued for Failing to Remedy a Data Breach

Chicago-based cybersecurity firm Trustwave was sued late last year by a company that had contracted it to investigate and remedy a data breach. The lawsuit was filed for the company’s alleged failure to adequately investigate and remedy the breach, leaving the computer system open to a further attack.

The lawsuit was filed by Affinity Gaming in the U.S. District Court in Nevada with the lawsuit stating that Trustwave’s investigation and remediation efforts were “woefully inadequate.” The investigation into the suspected hacking of the company’s payment card system failed to prevent individuals from gaining access to payment system data two months later. According to the lawsuit, Trustwave had reported to Affinity Gaming that the breach had been contained.

A subsequent investigation conducted by cybersecurity firm Mandiant revealed that a second breach occurred in December 2013, two months after the first incident was suffered, and while Trustwave was conducting its own investigation.

The second data breach resulted in losses of $99,294 being suffered by Affinity Gaming, with the casino company claiming that as a result of the “grossly negligent” investigation, it was investigated by U.S. gaming and consumer protection regulators. Affinity is looking to recover the losses suffered as a result of the second data breach and is seeking punitive damages of $297,883. The firm also expects Trustwave to cover any regulatory fines that it may be forced to pay as a result of the breach as well as cover any claims made by customers and credit card companies. Trustwave denies any wrongdoing, disagrees with the allegations, and intends to fight the case in court.

The case claims that Trustwave made untrue representations about its ability to investigate and remedy the data breach in an attempt to secure business from Affinity gaming.

This landmark case could well be the first of many filed against cybersecurity firms that have not done enough to contain data breaches and prevent future attacks from occurring. The case should send a message to all cybersecurity firms that they should make sure they can perform the services they advertise or they may be found liable for future losses that are suffered.

Healthcare providers unhappy with the investigations into hacking incidents conducted by the firms they have contracted could also seek to recover losses and regulatory fines that may result, should this case be ruled in favor of the plaintiff.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.