Editors' Pick: Originally published Jan. 25.
When data is compromised, it's normally the hacked company that pays for the damages. Such was the case when 40 million people had their credit card data compromised whenTarget was hacked in 2013. A federal judge ordered the retailer to pay $10 million in damages to the victims.
This system could be changing, as a hacked company is suing the cybersecurity firm it hired. This potentially precedent-setting case could seriously disrupt the cybersecurity industry.
In 2014, U.S. casino company Affinity Gaming was the victim of a breach that affected the credit card information of 300,000 customers. To deal with the fallout and secure its systems, it hired the privately held Trustwave cybersecurity firm. Affinity was allegedly told that everything was secure, but was hacked a second time with Trustwave in charge of its security.
"If [Affinity] can establish that the security company was negligent, then I don't see why this wouldn't become much more common," Peter Toren, a cybersecurity attorney and former prosecutor for Department of Justice's Computer Crimes Division, told The Hill.
The lawsuit itself is only for $100,000 in damages, but it's the precedent it could set that's the most damaging.
This lawsuit comes on the heels of a U.S. appeals court reaffirming the Federal Trade Commission's power to punish companies that don't adequately protect customers' data. The FTC has the ability to sue companies for cybersecurity violations based on a 100-year-old law aimed at preventing unfair and deceptive trade practices. The ruling was made in August 2015 after the hotel company Wyndham Worldwide was the victim of a cyber attack.
With the FTC having the ability to bring companies to court that failed to protect sensitive personal information, it's only natural that companies will look for ways to defray these costs. Shifting the blame to cybersecurity firms and bringing them to court does exactly that.
A Struggling Sector
The impact of the lawsuit won't be known for a while, as the Trustwave cybersecurity firm plans to fight the lawsuit. In the meantime, the sector has been struggling as of late in terms of share value.
The PureFunds ISE Cyber Security ETF (HACK) - Get Report has been on the decline. The ETF was formed in late 2014 and was one of the fastest-growing new ETFs that year in terms of popularity. Since then, however, the ETF has lost 12% of its value. The last six months have been particularly bad, with the fund losing almost 30% of its value.
While the sector may be underperforming, there's still a lot of interest in the industry thanks to the possibility of smaller companies being bought up by larger competitors.
The largest holding in the HACK ETF is CyberArk Software Ltd. (CYBR) - Get Report , which is one of those rare companies that's actually up in 2016. The reason for the rise is because of acquisition rumors from Check Point Software Technologies (CHKP) - Get Report . CyberArk has a market cap of $1.46 billion, while Check Point is at $13.57 billion.
Trustwave, the defendant in the casino's lawsuit, was close to going public back in 2011, but backed out from the process. In late 2015, it was sold to a Singaporean telecom for $770 million.
The good news for investors is that the need for cybersecurity firms will continue to rise, as it's estimated that companies lose a combined $400 billion annually to cyberattacks each year. The steady stream of acquisitions should continue as companies see the value in investing in cybersecurity.
However, investors thinking of putting money in cybersecurity firms will need to pay close attention to the ongoing lawsuit. If cybersecurity firms -- and not their clients -- are found to be responsible for data breaches, their bottoms line will be greatly impacted.
This article is commentary by an independent contributor. At the time of publication, the author held no positions in the stocks mentioned.