by Mike Masnick
Tue, Jun 2nd 2009 6:08pm
Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.
If you liked this post, you may also be interested in...
- Tone Deaf Zuckerberg Declares Opposition To Zero Rated Apps An 'Extremist' Position That Hurts The Poor
- Who Pays When The DEA Destroys Your Vehicle And Kills Your Employee During A Botched Sting? Hint: Not The DEA
- FBI And United Airlines Shoot The Messenger After Security Researcher Discovers Vulnerabilities In Airplane Computer System
- In Deal To Get Loretta Lynch Confirmed As Attorney General, Senate Agrees To Undermine Free Speech On The Internet
- Recording Industry's Latest Plan To Mess Up The Internet: Do Away With Safe Harbors