The legal stakes have never been higher for those practicing cybersecurity. In fact, in December 2013, Affinity Gaming, a casino operator based in Nevada, reported suffering a security breach of its payment card systems by outside hackers. Affinity Gaming hired Trustwave, a Chicago based security consulting firm, to investigate and contain the breach. Trustwave employees spent more than two months investigating the breach, finding its source, and working to contain it. According to a complaint filed by Affinity Gaming in the district court of Nevada, Trustwave, at the conclusion of its work, informed the company that the breach was contained and all associated malware had been removed.
Several months later during a routine penetration test, testers identified signs of suspicious activity associated with the malware that should have been removed by Trustwave employees. This time Affinity Gaming brought in Mandiant, a security consulting company focused on computer forensics and incident response, to investigate. According to the filed complaint, Mandiant’s investigation determined that the company’s payment card systems had again been breached and that the hackers broke into their network while Trustwave was still conducting its investigation.
According to the complaint, Mandiant’s investigation concluded that “Trustwave’s prior work was woefully inadequate,” and Affinity Group claims that Trustwave misrepresented the facts and that their work was “grossly negligent.” As such, Affinity Gaming is seeking remuneration for the damages suffered by Trustwave’s negligence. This raises some very interesting legal and liability questions for cyber security professionals:
- What is the legal standard of proficiency for cybersecurity professionals?
- How does one define grossly negligent work?
- Can cybersecurity professionals be held personally liable for grossly negligent work?
Even more interesting, Affinity Gaming made assertions that would lead one to believe that it was not responsible for it’s own security. In the complaint, Affinity Gaming stated that it “is not an IT security firm and lacks the level of expertise and know-how in the technical aspects of data security that a firm like Trustwave purports to possess.” As such, Affinity Gaming was wholly dependent on Trustwave to fix its compromised data security. This raises several more interesting questions:
- Can a company abdicate its legal responsibilities and duties for data security to a third party?
- What legal liabilities are cybersecurity services companies assuming?
- Do companies have a legal duty to obtain the technical know-how, whether through full time employees or by third parties, to provide sufficient data security?
- How does one legally define sufficient data security?
Cybersecurity is a very new profession and field of study and many of these questions have yet to be answered. I believe we will see an increasing number of similar lawsuits filed over the next several years that will ask the courts to answer these and other questions, especially around someone’s right to privacy related to telecommunications and technology. At Regis, we provide context around these questions and encourage students to actively debate them from not just a legal perspective but also through a moral, ethical, and societal lens. I hope you can join us in the debate and help provide answers to these difficult questions.