by Mike Masnick
Tue, Jun 2nd 2009 6:08pm
Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.
If you liked this post, you may also be interested in...
- German Court Says YouTube Isn't Liable For Infringement, But Wants A Notice-And-Staydown Process
- Huge Loss For Free Speech In Europe: Human Rights Court Says Sites Liable For User Comments
- DailyDirt: Passwords Suck, But What's Better?
- Top FBI Official Says Tech Companies Need To 'Prevent Encryption Above All Else'
- The Price Of Ignoring Free Internet Security Advice: Billboards Of Goatse