by Mike Masnick
Tue, Jun 2nd 2009 6:08pm
Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.
If you liked this post, you may also be interested in...
- Nest Thermostat Goes From 'Internet Of Things' Darling To Cautionary Tale
- Ding-Dong -- Your Easily Hacked 'Smart' Doorbell Just Gave Up Your WiFi Credentials
- Copyright Blocking Security Research: Researchers Barred From Exploring Leaked Archive
- Latest Email Dump Shows Hillary Clinton Telling Aide To Send Classified Documents Over Unsecure Fax Line
- DailyDirt: Trust In Math