by Mike Masnick
Tue, Jun 2nd 2009 6:08pm
Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.
If you liked this post, you may also be interested in...
- Telegraph Publishes The Dumbest Article On Encryption You'll Ever Read... Written By David Cameron's Former Speechwriter
- Chipotle Exposes Private Data By Sending HR E-mails Via Unowned Domain, Doesn't See The Problem
- Hillary Clinton Joins The 'Make Silicon Valley Break Encryption' Bandwagon
- TSA: Terrible At Security But Finally Willing To Work On Its Problems
- Law Professor Pens Ridiculous, Nearly Fact-Free, Misleading Attack On The Most Important Law On The Internet