by Mike Masnick
Tue, Jun 2nd 2009 6:08pm
Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.
If you liked this post, you may also be interested in...
- The Internet Of Things Is a Security And Privacy Dumpster Fire And The Check Is About To Come Due
- Half Of TSA's 30,000 Employees Accused Of Misconduct; Nearly A Third Multiple Times
- Police Slowly Waking Up To Fact That Vehicle Network Security Is A Joke To Hackers, Thieves
- TSA Scores Another PR Win With Assault Of Nineteen Year Old Brain Tumor Patient On Her Way To Treatment
- Michael Bloomberg Comes Down On The Wrong Side Of The Crypto Wars: Supports Backdooring Encryption