Audits Show Things At a Moment in Time; Silly To Sue For Breaches That Happen 1 Year After Audit Conclusion?
There has been much written in the past week about Merrick Bank suing the audit firm, Savvis, because a breach occurred at CardSystems in 2005 even though Savvis had given passing marks for the CardSystems audit that Merrick Bank hired them to perform in 2004 to ensure they were following Visa's Cardholder Information Security Program (CISP); basically a forerunner of the current PCI DSS program. Savvis found that CardSystems was following the CISP requirements. Within a year after the audit, CardSystems experienced a major breach that basically put them out of business.
I have had the great privilege to work as an IT auditor early in my career, for a while as an internal auditor at a large multi-national financial and insurance company, and then doing periodic audits since in various organizations in a wide range of industries since. All wonderful learning experiences!
There are a couple of important points that the judge in this situation should consider, and the lawyers in this case should understand:
1) Audits show how a company is operating at a specific moment, or over a typically short period of time. It is extremely easy to completely change the security of an organization following the results of an audit with just one systems, applications or operational change in the business.
If the CardSystems breach had occurred immediately following the audit, then it is much more likely that Savvis may have overlooked something. However, the longer the time from an audit, the more likely that ongoing changes in the organization, systems and applications will make the results of the audit no longer useful for determining how secure the organization, and its practices, are.
I don't know how thorough Savvis was, or if they did indeed miss something. However, if they can show that potentially securiy-impacting changes were made within the CardSystems environment between the end of their audit and when the breach occurred, then it seems it would be very hard to prove they were negligent. Depends on the correlations between the breach details and how those details were covered in the audit, and related changes after the audit.
2) While CISP, and now PCI DSS, definitely provide good security actions, they are not comprehensive for organizations. There is no way any standard, or law for that matter, could enumerate and specify all the security safeguards and activities that an organization could implement to make their organization 100% secure and prevent all breaches from happening. Standards can provide a good core set of security, but organizations still have to determine their own risks to know where to implement safeguards that are not included within in the standards.
Standards are kinda like putting on a bullet-proof vest; they provide some important protection to the core, but you still have significant parts of the body exposed (vulnerabilities) that could be attacked (threats) and damaged, and even prove fatal to the organization that was considered as being "compliant."
Organizations must understand that safeguards must be implemented to mitigate the RISKS TO THEIR OWN UNIQUE orgaization and environment, while also complying with applicable laws, regulations, industry standards, contractual requirements and enterprise policies.
I don't know the details of this particular case beyond the news report, nor the evidence that Merrick Bank thinks they must have to validate bringing a lawsuit. However, considering all the many different things that could have occurred, from the time following the Savvis audit conclusion until the time of the breach, to change the previous results of the CISP audit, it will be very hard, in my opinion, for Merrick Bank to win their negligence claim. But then, the devil's in the details!
This has been blogged about a lot! For another view, including more links to other opinions, see Rafal Los's blog post.
Will be interesting to see if this even makes it to court.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Hi Rebecca, first thanks for the link, and second - thanks for the well-written follow-up.
I've read a bunch of analyses so far on this topic, and there are basically two camps forming. There's the camp of people who want to bring down PCI and think this is a great vehicle for doing so; and then there's the group that wants to *mature* PCI and thinks this is a great way for doing so. Both can't win... it'll be an interesting battle.
Posted by: Rafal Los | June 8, 2009 1:14 PM