New Suit by Delta Reminds Everyone About the Importance of Data Security Protection in the Context of Third-Party Service Provider Relationships

In a recent lawsuit filed this month in the United States District Court for the Southern District of New York, Delta Airlines brought suit against its website chat services provider, [24]7, stemming from a 2017 data breach suffered by [24]7 that affected approximately 800,000 of Delta’s customers. Specifically, Delta alleges in its complaint that an attacker gained access to [24]7’s networks and modified the source code of its chat services so that the attacker could “scrape” payment card information from customers as they used the chat feature available on Delta’s website.

Normally, breached entities may be considered victims in their own right, having fallen prey to opportunistic cybercriminals. But the criminal responsible for [24]7’s breach will likely never be identified, much less caught. Instead, Delta is going after the easy target: [24]7 itself.

As if dealing with a massive breach in the normal course were not hard enough, [24]7 has found itself on the wrong end of breach of contract, fraud and negligence claims.  Delta seeks “millions of dollars of damages” based upon its allegations that [24]7 failed to protect Delta’s customers’ information as it was required by contract, knowingly misrepresented its data security protections and failed to protect data in accordance with a reasonable standard of care, respectively. Delta has also asserted indemnification claims on the basis that [24]7’s actions have allegedly caused it to incur notification expenses, provide credit monitoring and identify protection products, and defend against consumer litigation arising from the breach.

Delta’s suit is in its infancy and 24[7] is likely to take an aggressive stance in defense.  Although the Court will ultimately decide which claims of Delta have merit and which ones do not, the litigation does offer some valuable reminders to businesses of all shapes and sizes.  First, if you contract with third party service providers (as almost every business does at least to a certain extent), make sure not only that those providers are protecting yours and your customers’ information, but also that you have an efficient way to hold them accountable for failures. Second, if you’re a third party services provider, make sure you’re keeping abreast of security risks and not overpromising the protections you offer.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2019 Harter Secrest & Emery LLP