'

'

'

Erin E. Harrison, Legaltech News

January 22, 2016

If the case moves forward, a casino operator's recent lawsuit against an IT security firm it hired to investigate a data breach could pave the way for similar lawsuits to be brought by clients dissatisfied with the quality of IT security contractors' work.

The suit, filed by Affinity Gaming in December 2015 in U.S. District Court for the District of Nevada,'alleges'that Trustwave failed to meet professional quality standards in a post-hack investigation and prevention of ongoing damage from the hack, which targeted Affinity. Legal observers say the case could open the door for similar lawsuits over issues of liability.

But the initial question for the court will be whether Affinity can seek and obtain damages under both tort and contract law. Most states adhere to the 'economic loss doctrine,' which limits the plaintiff's economic recovery to those contemplated by contract, according to Joseph Abrenio, vice president of commercial services for Delta Risk, a cybersecurity and risk management services provider.

'The reasoning is straightforward: Contractual obligations arise from the promises the parties have made to one another, while tort law is founded on the public policy goal of protecting citizens from risk of physical harm by those that are either careless or negligent,' Abrenio explained in an interview with our ALM sibling, Legaltech News.

However, some states have an exception to the economic loss doctrine where there is a claim of professional negligence or where, as in this case, 'there is a claim that the defendant engaged in a fraudulent inducement to get plaintiffs to enter into a contract or after getting the contract, misrepresented the actual services rendered,' he said.

'In other words, Affinity is claiming that Trustwave made untrue representations about its cyberexpertise or capabilities in an attempt to capture Affinity's business and then misrepresented the services actually provided,' Abrenio added.

Should the court allow the tort claims to proceed, Affinity's potential recovery in damages could far exceed any anticipated breach of contract damages claim, he said.

'For instance, Affinity is not just seeking punitive and exemplary damages, but also all potential loss from third-party claims such as those claims brought by credit card companies and customers. Affinity is even seeking recovery of any regulatory fines or penalties it may have to pay as a result of the underlying data breach.'

Regardless of the outcome of the case, it's a wakeup call to service providers to ensure they can effectively conduct and deliver the services they promise.

'With respect to the cybersecurity industry, this case will likely serve as a warning to both cybersecurity providers and potential clients. Cybersecurity companies must have the proper expertise to conduct the services they promise; moreover, they must have the ability to demonstrate their expertise and their adherence to relevant professional standards when performing their services,' Abrenio said. 'This case is an industry disrupter no matter how it concludes. All interested parties, including cybersecurity companies, potential clients, and their insurers, are now at significant risk to cyber bad actors. As such, appropriate preventative measures, such as cyber exercises, should be conducted on a regular basis to demonstrate whether or not the cyber team is ready to defend company assets, most importantly, the company brand.'

TechInsurance, an online insurance agency for small technology businesses, recently published a guide to understanding the new liability exposure for IT security professionals introduced by'Affinity Gaming v. Trustwave Holdings Inc.

'We've been saying for years that cybersecurity issues aren't going away,' said Ted Devine, CEO of TechInsurance. 'This lawsuit makes that clearer than ever. Not only is cybersecurity here to stay, it's introducing new liability exposures for IT professionals who offer security services.'

To avoid a lawsuit alleging negligence regarding the provision of security services like the one Trustwave is now facing, TechInsurance recommended that cybersecurity businesses take these three steps:

1. Review your errors and omissions insurance policy to see whether third-party cyber liability is covered. If it is not, call your agent to add this protection, and ask about including a retroactive date of inception.
2. Verify the language in your client contracts. It should make explicit the scope of your services, which can help ensure a quick resolution in the event of a lawsuit.
3. Update your client conflict resolution policy. In many cases, handling client complaints as soon as they arise can prevent lawsuits.

Erin E. Harrison'is the Editor-in-Chief of'Legaltech News, an ALM sibling of'e-Commerce Law & Strategy.