Trustwave, a Top 100 MSSP, says a lawsuit against the company is without merit.
The lawsuit involves a Heartland Payment Systems data breach dating back to 2008. Two insurers want $30 million in restitution from Trustwave, claiming the MSSP didn't effectively safeguard the payment company from attackers.
Trustwave begs to differ. In a statement to MSSP Alert, the company said:
"Trustwave filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their time-barred and unwarranted attempt to recoup the insurance payments they made as coverage for a 2008 data breach at Heartland. The insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter. Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached. Trustwave did not manage Heartland’s information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers’ demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously."
Memo to MSPs: Review Your Contracts
Whatever the legal outcome, the case offers a timely reminder to MSPs. Customers and insurers increasingly take aim at MSPs and MSSPs when a breach or security setback surfaces -- attempting to hold the service providers responsible regardless of the actual contract stipulations.
For instance: Chatter about SMBs holding MSPs accountable for ransomware payments and breach cleanups was quite loud at the recent Automation Nation 2018 conference, hosted by ConnectWise.
As ConnectWise CEO Arnie Bellini told MSPs during a special security session: Whether you think you're in the security market or not -- your customers believe you're the security provider, and those customers intend to hold your business accountable for data protection.