A post from Chris Cope CISM, CISSP, MInstISP, CESG Certified Professional, PCBCM, ISO27001 Lead Auditor and Advent IM Security Consultant
It had to happen at some point; a cyber security company is being sued by a customer for not delivering the goods. Las Vegas based Affinity gaming has initiated legal proceedings against Chicago firm Trustwave for making representations that were untrue and for carrying out work which was ‘woefully inadequate’. The point of contention was a hack on the casino’s payment card system in 2013. Affinity allege that Trustwave concluded that the intrusion had been contained and dealt with, but the casino operators later suspected this was not the case and engaged another security consultant, Mandiant, to confirm. The breach had not, allegedly, been contained and now Affinity is looking to obtain damages from Trustwave.
This is not the place to suggest what did or didn’t happen; that will be discussed, at considerable length I suspect, in the American courts. Rather, a better topic for discussion is that of contractor liability. This lawsuit is a bit of a first for the cyber security industry, although the concept of suing contractors for damages is by no means new. Countless companies and individuals have been sued for breaches of contract or for tort damages. I suspect it was only a matter of time before our industry saw similar action. But this should be taken as a wake up call.
In English Law, a consultancy firm is seen as providing a service to the customer. The 1982 Supply of Goods and Services Act, Section 13 states that ‘In a contract for the supply of a service where the supplier is acting in the course of a business, there is an implied term that the supplier will carry out the service with reasonable care and skill’. The key term here is reasonable; what would a reasonable person judge to be a service that was carried out in a competent fashion? Note, the law does not require that a contractor provides the perfect service; there is a realisation that contractors are human and to expect perfection is unreasonable.
So how then can a cyber security contractor ‘prove’ its competence and ability to deliver a reasonable service? Whilst the emphasis remains on the accuser to prove incompetence, it doesn’t hurt to ensure that a good, pro-active defence is in place. First of all, the competence of employees must be evaluated and baselined. There are a plethora of cyber security qualifications available, drawing comparisons between qualification awarded by different bodies can be difficult, but it remains perfectly possible to ensure that consultants are qualified for the tasks they are expected to perform, and perhaps most importantly of all, maintain those qualifications. Secondly, cyber security is a very broad field and being an expert in every area is almost impossible, therefore assigning consultants to tasks which suit their skills sets is hugely important. The supervision of less well qualified personnel must also be taken into account; junior staff members must be able to develop their skills, but for the customer’s sake, they must be supervised properly in the process. It’s worth companies remembering that they are responsible for the actions of their employees whilst delivering a contract, via vicarious liability. Their mistakes will come back to haunt the employer unless sufficient care is taken. We must also ensure that we appropriately manage the expectations of our customers. No venture is ever risk free and there is no one piece of technology which will solve every problem; our goals should be clearly stated that we intend to reduce the risk to an acceptable level, not eradicate it completely. If we promise too much then it’s no surprise that customers expect too much. Finally, whilst the above is correct for English Law, other jurisdictions have different rules; companies that work globally would be wise to ensure they understand the local environment properly before signing a contract.
The cyber security profession is evolving and it is only to be expected that practitioners will face greater scrutiny. Rather than adopt the position that companies like Affinity are looking for a scapegoat for their own failures, we must ensure that we are able to consistently deliver a good enough service. This may be the first such action, but I doubt it will be the last.