New Suit by Delta Reminds Everyone About the Importance of Data Security Protection in the Context of Third-Party Service Provider Relationships

In a recent lawsuit filed this month in the United States District Court for the Southern District of New York, Delta Airlines brought suit against its website chat services provider, [24]7, stemming from a 2017 data breach suffered by [24]7 that affected approximately 800,000 of Delta’s customers. Specifically, Delta alleges in its complaint that an attacker gained access to [24]7’s networks and modified the source code of its chat services so that the attacker could “scrape” payment card information from customers as they used the chat feature available on Delta’s website.

Normally, breached entities may be considered victims in their own right, having fallen prey to opportunistic cybercriminals. But the criminal responsible for [24]7’s breach will likely never be identified, much less caught. Instead, Delta is going after the easy target: [24]7 itself.

As if dealing with a massive breach in the normal course were not hard enough, [24]7 has found itself on the wrong end of breach of contract, fraud and negligence claims.  Delta seeks “millions of dollars of damages” based upon its allegations that [24]7 failed to protect Delta’s customers’ information as it was required by contract, knowingly misrepresented its data security protections and failed to protect data in accordance with a reasonable standard of care, respectively. Delta has also asserted indemnification claims on the basis that [24]7’s actions have allegedly caused it to incur notification expenses, provide credit monitoring and identify protection products, and defend against consumer litigation arising from the breach.

Delta’s suit is in its infancy and 24[7] is likely to take an aggressive stance in defense.  Although the Court will ultimately decide which claims of Delta have merit and which ones do not, the litigation does offer some valuable reminders to businesses of all shapes and sizes.  First, if you contract with third party service providers (as almost every business does at least to a certain extent), make sure not only that those providers are protecting yours and your customers’ information, but also that you have an efficient way to hold them accountable for failures. Second, if you’re a third party services provider, make sure you’re keeping abreast of security risks and not overpromising the protections you offer.

New York Paid Family Leave Benefit Level and Premi...
New York Continues Expansion of Protections Agains...

Disclaimer

This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.