Liability for cybersecurity vendors: Affinity Gaming's suit against Trustwave

The complaint filed by Affinity Gaming against Trustwave in the United States District Court for Nevada laid out the sequence of events -- at least from Affinity Gaming's perspective. About a week after learning of the breach, Affinity signed an agreement with Trustwave to conduct a forensic investigation of the incident, and Trustwave arrived on site the next day, beginning a two-month investigation of the security incident. In January, Trustwave submitted a final report, noting that the incident had been fully contained, with malware removed.

Everything seemed to move along fine for a few months until April 2014, when Affinity hired Ernst & Young to perform a penetration test required by the Missouri Gaming Commission. During that testing, Ernst & Young uncovered suspicious activity that appeared to indicate an ongoing malware infection at Affinity.

Affinity then hired a third firm, Mandiant, to conduct a second forensic investigation based upon the Ernst & Young results. According to Affinity's complaint, "Mandiant determined that Trustwave had failed to identify the entire extent of the breach." Affinity then filed a lawsuit against Trustwave, alleging fraud and gross negligence, among other complaints. The suit seeks damages, "which exceed $100,000." As of this writing in February 2016, the case is still pending in the U.S. District Court


Because there are so many different kinds of third parties, identifying whether they do or don’t have the right infrastructure or security protocols can be a challenge. Moreover, doing the proper due diligence needed to vet third-party vendors can be costly and time consuming.

As so many organizations rely on a variety of different providers, third parties can become the gateways to the network. In order to mitigate the risk of a breach from a third party, enterprises need to design a vetting process and understand the language of the service-level agreement in order to best evaluate their contracts.