Editors' Pick: Originally published Jan. 25.
When data is compromised, it's normally the hacked company that pays for the damages. Such was the case when 40 million people had their credit card data compromised whenTarget was hacked in 2013. A federal judge ordered the retailer to pay $10 million in damages to the victims.
This system could be changing, as a hacked company is suing the cybersecurity firm it hired. This potentially precedent-setting case could seriously disrupt the cybersecurity industry.
In 2014, U.S. casino company Affinity Gaming was the victim of a breach that affected the credit card information of 300,000 customers. To deal with the fallout and secure its systems, it hired the privately held Trustwave cybersecurity firm. Affinity was allegedly told that everything was secure, but was hacked a second time with Trustwave in charge of its security.
"If [Affinity] can establish that the security company was negligent, then I don't see why this wouldn't become much more common," Peter Toren, a cybersecurity attorney and former prosecutor for Department of Justice's Computer Crimes Division, told The Hill.
The lawsuit itself is only for $100,000 in damages, but it's the precedent it could set that's the most damaging.
This lawsuit comes on the heels of a U.S. appeals court reaffirming the Federal Trade Commission's power to punish companies that don't adequately protect customers' data. The FTC has the ability to sue companies for cybersecurity violations based on a 100-year-old law aimed at preventing unfair and deceptive trade practices. The ruling was made in August 2015 after the hotel company Wyndham Worldwide was the victim of a cyber attack.
With the FTC having the ability to bring companies to court that failed to protect sensitive personal information, it's only natural that companies will look for ways to defray these costs. Shifting the blame to cybersecurity firms and bringing them to court does exactly that.