Cyber liability specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said the threat of legal action could result in IT security companies taking longer to carry out investigative work they have been contracted to undertake in the aftermath of a data breach.
Birdsey was commenting after Affinity Gaming, a casino operator in the US, launched legal action against IT security company Trustwave. Affinity Gaming has claimed that Trustwave had made false representations about the security of data on Affinity Gaming's systems.
According to court documents filed by Affinity Gaming and published by SC Magazine (26-page / 518KB PDF), Trustwave was engaged by Affinity Gaming in 2013 to "investigate, diagnose and help remedy" a data breach the casino operator had experienced.
Affinity Gaming claimed that after it had concluded its investigation Trustwave had reported to it that the breach was "contained" and offered some recommendations on how future incidents could be avoided. However, the casino operator said it subsequently discovered that it had "suffered an ongoing data breach". It hired a second IT security company to look into that breach and said that firm reported inadequacies in Trustwave's work.
Affinity Gaming is seeking damages in excess of $100,000 from Trustwave before a district court in Nevada. Trustwave has said it disputes the allegations and intends to "vigourously" defend itself in court, according to an SC Magazine report.
Birdsey said that although this case has been brought in the US, there is no reason why similar claims could not follow in the UK.
"Forensic investigations into data breaches are already generally lengthy and costly," Birdsey said. "However, IT forensic firms might insist on running even more comprehensive investigations to guard against the risk of missing something if they see a threat of legal action against them from those they contract with. Extending the length of investigations might have a knock-on direct and indirect effect on the cost of data breaches to businesses."
Birdsey said that the US case might encourage IT security companies to take steps to minimise their liability.
"This might include amending letters of engagement to address the new threat of legal action against them," Birdsey said. "They could also seek to revise contractual terms on limitations and exclusions in an attempt to avoid liability for losses stemming from any gaps that are later found in their work or findings."
Birdsey said that if third parties are found liable for some costs stemming from data breaches it may impact on how insurers respond to such incidents.
"An increasing number of companies are taking out or considering dedicated insurance policies that provide them with cover in the event they experience a data breach. If a company with such cyber insurance experiences a data breach then they will be able to recover costs under their policy. However, from that insurers' perspective they may have an appetite to pursue a claim against a third party where they are responsible for some or all of the costs linked to that breach. In such instances if the third party has insurance against such claims then it might be that third party's insurer that ends up footing the bill," he said.