Jun 2, 2009

Closing the loop: bringing the lawsuits to the auditors

A while back I had a bit of a rant about security testing and certifications. Today a colleague of mine sent me an article on the first case of bringing legal actions against a security auditor. Some quotes that I found interesting:
In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.

Security is a lucrative business... so lucrative that a lot of people have jumped in to play the game of "securing" business values. Just like with any other sector of the economy, when there are a lot of newbies joining the field, the overall quality of work diminishes. And this has it's consequences...
More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.

They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies.

Luckily, for those who still want to join this business, there is the right certification to give them a boost in front of competitors. ;)

No comments: