The judge’s ruling essentially functions as a reprimand of the way many incident response firms now interact with their clients, according to Edward McNicholas, co-leader of the privacy and cybersecurity practice at Ropes & Gray. If a security company consistently is selling a client other services while working on retainer, and the differences aren’t clear in contractual language, McNicholas said, there is a risk of losing legal protection in the event of a data breach.
“This is a fascinating decision in part because it pokes at the business model in that it tees off on the idea that they had a pre-existing statement of work,” he said. “This judge just said, ‘This business relationship has grown far beyond what we normally see in this context.’”
via Here’s what that Capital One court decision means for corporate cybersecurity.