Is A Security Auditor Liable If There's A Security Breach?

from the we-may-find-out... dept

Tue, Jun 2nd 2009 6:08pm — Mike Masnick

Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: auditor, data breach, liability, security

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 2 Jun 2009 @ 6:34pm

There are no truly, entirely, completely secure systems. You can get really, really close, but it is almost impossible.

It is even more difficult in systems that are evolving or being updated on a regular basis. A single new line of code could trigger security issues in other parts of a system, example.

A simple configuration error in a single new server in a rack of equipment, a failure to block a certain type of possible attack through a single router, or heck, even allowing employees to have both web access and "system" access could be potential holes. You can block them up the best you can, but there are always new things coming along.

This doesn't even touch things like social hacking (obtaining passwords and usernames through non-hacker attacks), people who log on remotely from unsecure locations, etc.

In this case, the quote from CNN was "It looks like a hacker gained access to CardSystems' database and installed a script that acts like a virus". So any number of potential methods could have been used. I would place a bet on an employee PC, possibly a programmer or system maintenance person.

Currently there is a pretty nasty attack set up through adobe files which allows a very quiet back door to be installed on your PC
[ link to this | view in chronology ]
Anonymous Coward, 2 Jun 2009 @ 7:02pm

Life used to be easier when we used adding machines, typewriters, file cabinets, POTSs, etc. Heck, there was even a time when I could fix my car all by my lonesome.

I embrace technological progress, though there are times when I do ask myself if some of the progress is worth the cost.
[ link to this | view in chronology ]
E-Rocker, 2 Jun 2009 @ 7:18pm

[i]had implemented sufficient security solutions and operated in a manner consistent with industry best practices.[/i] Note that the auditor is not saying they are secure, but merely that they are consistent with generally accepted standards. When a company goes public, their financial statements are audited by an outside member, who must state that either the financials are or are not consistent with GAAP. The auditor makes no mention of whether the financials are good or bad, or whether the company is a good investment. Merely that they meet specific standards. Now, if the auditor, in either case, were negligent in accurately assessing this consistency, I agree that they should share liability. But there may not be negligence, and the company still goes bankrupt on day two because they intentionally falsified numbers, unknowingly mis-represented their company, or were just a poor investment. Simliarly, tt's not an auditor's job to maintain an organization's security. And there are countless ways, as mentioned, that any organization's security can be by-passed. If there was no negligence in assessing consistency with standards, I don't see why there should be any liability.
[ link to this | view in chronology ]
- E-Rocker, 2 Jun 2009 @ 7:20pm
  
  Re:
  Hmm...I had HTML enabled...
  [ link to this | view in chronology ]
  - E-Rocker, 2 Jun 2009 @ 7:31pm
    
    Re: Re:
    Oh, that wasn't HTML...but agreed with the other posts.
    [ link to this | view in chronology ]
- Washii, 2 Jun 2009 @ 10:23pm
  
  Re:
  Oh God, GAAP. My two quarters of mind-numbing accounting classes coming back to me. What a stupid CompSci requirement.
  [ link to this | view in chronology ]
Paul Brinker (profile), 2 Jun 2009 @ 7:25pm

In Accounting the auditors job is to provide "reasonable assurance" The auditor is not accountable if for example...

Employees setup a false company including phone numbers, the auditor calls the company to see if a transaction was correct and the fake company says yes.

This is a clear case where the auditor would not be at falt, others may include less crazy things like, said company went bankrupt after doing business with the one under audit.

To say an auditor did something wrong in a computer sence would be vary hard, Attacks can come from inside/outside/bruteforce/employees/contractors. The auditor can provide reasonable assurance that each of the known issues are locked down or noted as a security risk (based on both how likly it is to happen and how much damage could happen if it was to happen) Then real resorces will be spent to fix those problems brought up. Of course even then the fix could have its own holes generating additional problems.

No accounting auditor will tell you that there audit is 100% foolproof, computers should not be any differnt.
[ link to this | view in chronology ]
- RVSpinX (profile), 3 Jun 2009 @ 5:11am
  
  Re:
  I disagree, based on the article it seems clear that auditor does have liability. Audits are done to verify the systems meet some predetermined level of security, to meet this level requires having certain things in place (Firewall, Encryption, etc.) In this particular case CardSystems was certified as compliant with the CISP standards. However the nature of the breach shows how they were in fact not in compliance.
  
  "The data belonged to card transactions that CardSystems had retained on its system and stored in unencrypted format, both violations of CISP standards"
  
  This could indicate 2 things, 1 that Savvis did an underwhelming job during the audit, or that after the audit CardSystems dramatically altered its infrastructure in such a way that data that once sat in an encrypted state OFF its own systems now do. As someone who manages a fairly large infrastructure I find it difficult to believe that CardSystems drastically altered its systems in a 1 year +/- timeline (Audit Certification date to Hack Discloser), corporate red tape being what it is and all.
  
  Considering some of the points in the article such as "Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway." seems to indicate that there are some lackluster audits going on.
  [ link to this | view in chronology ]
Aaron, 2 Jun 2009 @ 7:27pm

Apply elsewhere!
So should a police officer be held responsible if a crime is committed on his patrol route and the officer does not respond automatically without notice?

A security auditor can't be held responsible for all the passwords of a company. Sure you can set up restrictions on length, complexity, usage, expiration. But it user1234 has Password1! which meets the standard then that can't be your fault. Or what if Sally has her passwords written on a piece of paper attached to the bottom of her keyboard. You can yell at your employees all you want and post a million and one security notices about best practice for computer security but in that situation it's up to the user to do the right thing.

Technology progresses at an ever quickening pace, security is usually two steps behind. There is no such thing as a hack proof, virus proof, anything proof system... except the one that is never turned on, never plugged in and never used and has a blank hard drive and a corrupted BIOS.
[ link to this | view in chronology ]
Anonymous Coward, 2 Jun 2009 @ 8:11pm

Depends on Contract
Seems to me to be essentially a contract issue.

The parties can already sign up for any type of liability sharing they wish.

An audit is just one of the many things you have to do to improve your security. And the responsibilities of the auditor are generally spelled out in the contract.

Data security is *always* the data owners responsibility (shared responsibility = *no* responsibility). If the data owner needs more security, then *they* need to hire the right people, sign the right contracts, and hold the right people accountable.

The lawsuit should happen for its fact finding. But it will probably settle in favor of Savvis, unless the contract strongly implied some sort of guarantee of security (doubtful - no sane auditor would sign such a contract).

Looks to me like CardSystems f'd up. And now they're looking for someone to blame. If they hired a shoddy auditor, that's their fault. If they wrote a poor contract with their auditor, still their fault.
[ link to this | view in chronology ]
iyogi (profile), 2 Jun 2009 @ 8:51pm

Card Systems
Who had audited the security of Card Systems computer systems and determined that the company.
[ link to this | view in chronology ]
cageywolf, 2 Jun 2009 @ 9:54pm

Read the Story First
It's probably best to read the Wired story before making broad statements about responsibility. In this case, it certainly appears that the auditor failed on key issues. Most organizations don't handle the work internally (think Sarbanes-Oxley) but hire an outside firm (which also insures impariality) to verify that they're meeting a specified level of compliance. When Savvis certified CardSystems, other companies relied on Savvis' having done proper job of verifying CardSystems' compliance with certain standards. However, some obvious non-compliant practices were in effect (storage of credit card numbers as unencrypted data, for example). CardSystems isn't suing, a third party that was harmed by Savvis' alleged negligence in doing a crappy job of auditing is. That's a huge difference.

Here's a simple scenario: you buy a used car from a dealer that gives you a Carfaxx report that shows that the card had never been in an accident. On your way home, the axel falls off. The previous owner admits the car had been rear-ended before he traded it in to the dealer. Carfaxx has harmed you. That's who you sue. Same case with Savvis.

You may disagree with the idea that Carfaxx (or Savvis) owes you anything. That's fine. But general comments about accounting aren't very enlightening and seem to indicate that some people just love to give their opinions without understanding the story.
[ link to this | view in chronology ]
Khizar Mohammed, 2 Jun 2009 @ 11:39pm

Security auditors must be held responsible. They should be forced to sign a liability contract that involves them in any sort of information loss. Most of the IT auditors think that they know everything better than anyone else. Instead of forming alliance with the existing IT team and getting the complete information about the manipulations and workarounds that are done by the developers, network and systems officers, the security auditors keep auditing what they know. Due to their attitude towards the company IT team, auditors are seen as trouble makers and they get answers for what they ask. They never come across the vital information that lies only with the IT staff. Eventually, this is the information that leads to potential breaches
They are getting paid to go an extra mile on top of what in house IT team achieves.
[ link to this | view in chronology ]
- pk, 3 Jun 2009 @ 6:17am
  
  Re:
  you obviously have no idea what an auditor's role is then. An auditor is responsible for verifying that a company's security implementation is aligned with the company's security policies and procedures. Although auditors may provide recommendations, they are not the security architects. Auditors do not design stuff, they verify stuff. It seems that you've had experience of the the wrong set of security auditors since you refer to the attitude of the auditors.
  [ link to this | view in chronology ]
- Danny, 4 Jun 2009 @ 2:13pm
  
  Re:
  They are getting paid to go an extra mile on top of what in house IT team achieves.
  
  No they are getting paid to make sure what the in house IT team achieved actually works. Security auditors only provide security in the sense they are around to verify IT's work.
  [ link to this | view in chronology ]
Paul Brinker (profile), 3 Jun 2009 @ 12:30am

My General Accounting point was this, in this specific case the auditor was PAID to audit a given service and just did not do it. Since the auditor did not even check the files for this then its a breach of contract and rightfully you can sue.

Audits have vary good records kept for just this reason, and those are turned in to the company requesting the audit (in fact you dont give the paperwork you dont get paid) As such the report could say that file storage was checked secure to some standard. To prove the case company will have to say that the auditor lied OR the auditor did not fufil the contract. The first one would be a easy case, the 2nd one would be much harder given the report was turned in and signed off as complete then later on something bad happend and there attempting to assign blame.

Liability contracts are a bad thing for anything short of not doing the damm job. The contract for the job will spell out in black and white what needs to be checked and backup paperwork needs to be done to ensure it was checked. So unless the contract said,"all file systems with sencitive data are safe even if physicaly stolen by a 3rd party" (or something like that) AND the auditor said yes thay are when it turned out that no it was not there is not much case AND there was an approved way signed off by the client for the auditor to follow.

Sadly auditors are one job where you must cover your own ass.
[ link to this | view in chronology ]
braindead (profile), 3 Jun 2009 @ 1:11am

doesnt work like that
"Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices."

lawsuit will go nowere Savvis never said data is secure it only said:
the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices.

which has nothing to do with Data breach:
-Everyone (or at least most ppl) know that its impossible to have a 100% secure system.
-Savvis never rated security of system, it simply said system is with in the norm.

so unless that system was below standard (and some1 can prove that) Savvis has no liability what so ever.
[ link to this | view in chronology ]
John Doe, 3 Jun 2009 @ 3:58am

Software/security audits are a sham...
Unless a security auditor looked at every line of code of every system, examined the OS and hardware they run on and the firewalls they sit behind, there is no way for an auditor to really know anything for sure. All they can say is they have examined the policies and procedures in place. If those policies and procedures aren't followed or there is a bug/hole in the code, then you can have a breach. So auditors of any kind are really making only a best guess.
[ link to this | view in chronology ]
bp, 3 Jun 2009 @ 4:41am

the lawsuit itself
All the comments agree, that there is no perfect security and no audit will ever be able to neither assure nor guarantee it.

What the lawsuit on auditor's negligence is telling is something completely different and it's mostly about CardSystems:
1. They are either incompetent and have thus implemented sub-standard security practices and did not know that they are really sub-standard. Yeah, it's exclusively the auditor's job to first tell us that, right.
2. They are not able to find or recognize a competent security auditor or notice, that the auditor just grabbed the money and performed a quick stage show.
3. If they are ever able to actually prove negligence on the auditor's side, why the hell did we not raise this as an issue before data was stolen? Great management, when such important data is lost somewhere in internal power struggles.
[ link to this | view in chronology ]
JohnRaven,CHT,CSH (profile), 3 Jun 2009 @ 5:06am

Interesting..
The auditor didn't certify that they had unbreakable security, just that they were consistant with best practices.

It seems the best practices weren't good enogh.
[ link to this | view in chronology ]
John Doe, 3 Jun 2009 @ 5:27am

And this is the problem; best practices are only best for a while. Then someone figures out how to get through. Then new practices are developed. So security is always one step behind the bad guys.

The other possible cause of the breach is that the practices were not always followed. Most security audits just check what safeguards are in place as far as policies and procedures go. If they aren't always followed, an auditor may not know that.
[ link to this | view in chronology ]
Matt Katz, 3 Jun 2009 @ 5:29am

Aligning incentives
Seems like an incentives game. Some degree of liability for the auditor is positive, because it insures that they do a thorough job for the client. Unlimited liability is not helpful, because it encourages too stringent requirements from inspectors and reduces the chances of them ever issuing an all clear.

Perhaps some sort of bonding could be done, or some sort of limited liability.

"Auditor assumes $100,000 liability in case this system is found to not hold best practices within 1 year of this report." Twiddle the incentive knobs a little bit on the duration and liability and you might have a decent inspection.
[ link to this | view in chronology ]
Anonymous Coward, 3 Jun 2009 @ 9:26am

It all depends on the terms of the agreement. I have worked for consulting companies, and the agreement always stated that we were not responsible for things like that. Any contract that stated such never made it past our legal department.

If their contract spelled it out that they would be liable, then that is one dead company.
[ link to this | view in chronology ]
Shawn (profile), 3 Jun 2009 @ 9:58am

This particular suit may actually make sense, it will be interesting to see how it plays out. The question is not as simple as an whether a security audit proving something is secure. The lawsuit is about the fact that Savvis certified that CardSystems had met the Cardholder Information Security Program (CISP) standards. Discovering vulnerabilities and providing remediation results is what just about any unregulated business and many regulated ones consider a 'Security Audit' That is a completely different animal than a certification of a company to a third party standard.
[ link to this | view in chronology ]
PrometheeFeu (profile), 3 Jun 2009 @ 12:34pm

Honestly, I think suing actually makes sense here. The whole point of the suit is to establish whether the security auditor did an appropriate job or not. That's how we can keep security auditors honest. If they did a good job, the suit should show it. If they didn't the suit should also show that. I just hope the judge doesn't mistake doing a good job and making a foolproof system.
[ link to this | view in chronology ]