Security regulations and standards such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and the forthcoming Massachusetts data protection legislation have the power to drive purchasing decisions. They also have the potential of leaving security solution providers exposed to legal liability for noncompliance of their customers.

At least that's one of the conclusions of a panel discussion I moderated yesterday at the CompTIA Breakaway conference in Las Vegas. The panelists—Sandra Ashworth of Unisys, MJ Shoer of Jenaly Technology Group, Paul Cronin of 1nService and Patrick Wilson of Vital Signs Technology—agreed that security assessments are essential in determining needs of end users to become compliant with federal and state laws regarding security.

However, they also said that some end users may not like what they hear in a security assessment report and reject the recommendations. For such end users, the panelists recommend taking a play out of the rental car business's playbook: Get the customer to sign off and acknowledge declining the recommendation.

Here's the reason, many end users—particularly small and midsize businesses—don't know what they don't know about their security posture. A solution provider comes in and does an assessment for HIPAA or PCI compliance and finds dozens of serious security problems that need remediation. The customer may be duty bound to fixing the security issues, but security is scary and expensive. Some customers may choose not to address their compliance shortcomings, weighing the risk of a breach and penalties over the cost of proactive remediation.

By having them acknowledge on paper that they were made aware of the security problems and compliance issues but declined the recommendations, the solution provider gains a degree of insulation between themselves and the customer should any enforcement action be taken by regulators.

Think it can't happen? It already is, in a way. Merrick Bank is suing Savvis, a security consulting and audit firm, for its role in the massive credit card breach at CardSystems. Savvis didn't provide the security for CardSystems. It simply certified the credit card payment processor as compliant with the PCI-DSS standard. The company that services Visa and MasterCard and their member banks was breached, which led to the compromise of 40 million credit card accounts. Merrick was one of the banks affected.

If customers decline a compliance recommendation, a written acknowledgement also provides the solution provider with an instrument to protect their reputation. They can show they did all the right things (or at least followed best practices), but was turned away by the client.

The willingness of the customer to accept recommendations is a good tool for qualifying an account before doing any work, the panelists said. Wilson, a managed service provider who specializes in the health care vertical, says that if you explain the process to a prospect and that they express uneasiness with the recommendation process, you should walk away. Those customers won't be good on any level.