Lawsuit Could Redefine Liabilities of Security Service Providers
Information security managers and executives have long been held accountable for security incidences and breaches, but what about the people who certify or provide the security? In other words, should auditors and managed security service providers be held accountable for breaches that happen after they’ve signed off on security measures? That is the question before the courts in the case of the 2005 breach of CardSystems, a credit card payment processor that suffered a theft of more than 40 million credit card numbers, according to a Wired.com report. CardSystems has been certified as compliant with Cardholder Information Security Program (CISP), the precursor to the Payment Card Industry Data Security Standard (PCI DSS). But an incident response analysis discovered that CardSystems wasn’t in compliance with the security standards at the time of the breach. According to the Wired report, a lawsuit brought by Merrick Bank is moving forward against Savvis, the managed service provider that certified CardSystems as CISP compliant. The lawsuit alleges that Savvis was negligent in certifying CardSystems as secure and bears responsibility. Savvis is a partner of such vendors as Cisco, Microsoft and Hewlett-Packard. The Wired report is correct in that this is an escalation of the information security legal standard. For example, TJX and Heartland, two companies that have suffered among the largest publicly known data breaches, faced lawsuits for their inaction and lack of providing adequate security. However, auditors and security providers haven’t endured the same post-breach action. Security managed service providers, in theory, are not isolated from responsibility for breaches that occur under their watch. But many mitigate their liability through carefully worded service level agreements, which spell out the conditions and map responsibilities for security incidents. Auditors, on the other hand, are often simply there to check and ensure that certain prescribed actions are implemented, such as the 12 steps for PCI compliance or due diligence as defined by the Sarbanes-Oxley Act. What will be interesting about this lawsuit is how the court assigns responsibility for a breach at a certified business. Audits, by their very nature, are point-in-time or snapshot checks. They cannot account for the dynamic variables of business and IT operations that may weaken security over the long-haul. For instance, New York-based Hannaford Brothers supermarkets suffered a security breach that resulted in the theft of 4 million credit card numbers despite being PCI compliant. Why? A trusted inside administrator is suspected of pulling off the heist. Security experts said that no amount of PCI security measures could have prevented such a breach. As any security pro knows, security is a moving target. Anyone who says they know the precise state of their security posture and status is either naïve or lying. Perhaps the standard for auditing certification should focus more on processes rather than implementation. Yes, having SSL encryption and a perimeter is important, but is it more important to have procedures for activity monitoring and incident response? After all, it’s widely acknowledged that standards such as PCI and SOX are hardly enough to ensure an organization is secure. As Wired reported, the Merrick lawsuit against Savvis may rest on the interpretation of an Arizona state law that gives standing to companies to sue third-parties for damages if they are intended to provide indirect benefit to the primary parties. If Merrick succeeds, it could set a new legal precedent for information security and compel operational changes for security auditors and managed service providers. |
Comments (2)
As a PCI Accredited Scan Vendor (ASV) this is an issue that is close to heart for netVigilance, Inc.
There are several problems involved.
1) Many companies work under the assumption that PCI Compliant means secure, it does not. You can easily be PCI Compliant without being secure. However it does work the other way, if you are truly Securecure then you are also PCI Compliant.
We preach be Secure First, Compliant follows automatically.
2) Companies like Cardsystems must accept and embrace that they are ultimately responsible for their own Security. Auditors can only HELP in assessing your security, Auditors can never build a mindset that puts security high in a company, only the company leadership can do that.
3) some customers lie and cheat to get a passing certification, and the auditor are mostly powerless against such tactics.
4) However, without knowing anything about Savvis' conduct in this specific instance, some Auditors do work in a negligent way, marking they checklist without doing the actual check in a diligent way. Those auditors should be slapped HARD, 3rd parties like Merrick Bank has to be able to trust that the Auditor did best effort, and did not skip important checks.
I think that auditors like any other company should have to stand behind their work, put their money where their mouth is, and be ready to face the music, when the breach occurs.
Jesper Jurcenoks
CTO, netVigilance, Inc.
Posted by Jesper Jurcenoks | June 5, 2009 2:47 PM
I agree with Jesper's comments, especially #1. Compliance isn't the end state. The objective is to be SECURE! Tests, reviews, audits, etc. can only provide an indicator of the security posture. Security can be an expensive insurance policy, but in today's connected world it is a cost of doing business.
Holding 3rd party companies accountable is necessary, but it can't be the scape goat. The company is ultimately responsible for ensuring that their security program is sound, not just based on the results from a narrow independent review.
If 3rd party security companies are negligent, drop the hammer.
Jesse Pike
Compushare
Posted by Jesse Pike | June 11, 2009 1:17 PM