A security firm is being sued by two insurance companies who are seeking to recover losses after the firm failed to detect malware on a client’s network that led to a major breach. Could you be put in this position if your customer was breached? Since we know that no technical control is 100% effective, let’s look at other factors led to the potential liability for this firm.
The client was Heartland Payment Systems, and the firm was Trustwave. Trustwave was contracted to provide Heartland with cybersecurity monitoring, but was also their Payment Card Industry Qualified Security Assessor (PCI QSA) responsible to audit Heartland and confirm that they were meeting the PCI Data Security Standard requirements. The requirements include firewall protection, unique IDs for access, encryption of data, and monitoring for behaviors that could indicate a compromise.
The suits contend that following the breach, an investigation found that Heartland was NOT meeting these requirements and that Trustwave contributed to the breach by overlooking the lack of compliance, providing a wrongful attestation and failing to detect the incident. Visa also prohibited Heartland from continuing to use Trustwave.
Trustwave is fighting back, and their arguments (that a point in time audit cannot guarantee that a client continues to meet the compliance requirements and that even if every compliance requirement is met that doesn’t mean that a client cannot be breached) are true. However, if the courts find that they were negligent in meeting the contractual agreements for auditing controls and providing monitoring, they could be liable for all or some of the $148 million in settlement fees Heartland was forced to pay. The two insurers involved in the suits only covered about $60 million of those costs.
How can you protect yourself and your clients? Make sure your cyber testing and compliance audits are performed by a qualified resource. Monitoring should be reviewed to confirm that it includes the proper scope, is being done 24/7/365, and includes ongoing tuning and reporting. Discuss importance of proactive testing of both technical controls and staff’s susceptibility to hacking. Finally, talk to clients about the importance of understanding their cyber liability coverage. Many commercial policies don’t cover all the costs, including notifications, fines, and legal settlements, and coverage may require evidence that the client was meeting compliance requirements and cybersecurity best practices.