Liability for Failing to Prevent Cyber Risk

Cyber liability threats continue to pose a danger for companies and professionals.  In order to help mitigate the damages of cyber breaches, businesses are becoming increasingly reliant on third-party security vendors to provide cyber consulting and to manage their data security risks.  While prioritizing data security is an important step for firms to take to minimize their own exposure, it is not always possible to eliminate threats entirely.  And when breaches do occur, businesses and their customers may look to hold these third-party data security companies accountable for failing to prevent attacks.

The prospect of security firm liability was recently raised in a federal lawsuit filed in the District of Nevada.  There, a Nevada gaming company suffered a data breach in 2013 that involved fraudulent credit card activity.  The company reported the breach to its insurance carrier, which recommended that it retain a professional forensic data security investigator to contain any further damages.  The gaming company later hired a data security firm that presented itself as an industry leader with the capability to identify and remedy the company’s data breach .

According to the complaint, the security firm agreed to undertake a forensic investigation to determine the extent of the breach and to provide recommendations to increase security.  Following the investigation, the security firm informed the gaming company that the data breach compromise had been contained, that all malware were deactivated or removed from the servers, and that this activity ended the breach.  However, after the engagement with the security firm ended, the gaming company learned that its data systems were still compromised.

The gaming company alleged that the security firm’s failure to correct the data breach resulted in significant internal and third-party costs.  Accordingly, the company sought damages well in excess of its fees to the security firm for fraud, negligence, and violations of state statutes, based on its alleged misrepresentations regarding its expert capabilities.

Given the apparent uptick in cyber liability and exposure, we can expect to see more companies and professionals leaning on cyber security vendors for assistance. Hence, those vendors are likely exposed to increased risk in this developing area of law.