Is A Security Auditor Liable If There's A Security Breach?
from the we-may-find-out... dept
Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: auditor, data breach, liability, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
It is even more difficult in systems that are evolving or being updated on a regular basis. A single new line of code could trigger security issues in other parts of a system, example.
A simple configuration error in a single new server in a rack of equipment, a failure to block a certain type of possible attack through a single router, or heck, even allowing employees to have both web access and "system" access could be potential holes. You can block them up the best you can, but there are always new things coming along.
This doesn't even touch things like social hacking (obtaining passwords and usernames through non-hacker attacks), people who log on remotely from unsecure locations, etc.
In this case, the quote from CNN was "It looks like a hacker gained access to CardSystems' database and installed a script that acts like a virus". So any number of potential methods could have been used. I would place a bet on an employee PC, possibly a programmer or system maintenance person.
Currently there is a pretty nasty attack set up through adobe files which allows a very quiet back door to be installed on your PC
[ link to this | view in chronology ]
I embrace technological progress, though there are times when I do ask myself if some of the progress is worth the cost.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Employees setup a false company including phone numbers, the auditor calls the company to see if a transaction was correct and the fake company says yes.
This is a clear case where the auditor would not be at falt, others may include less crazy things like, said company went bankrupt after doing business with the one under audit.
To say an auditor did something wrong in a computer sence would be vary hard, Attacks can come from inside/outside/bruteforce/employees/contractors. The auditor can provide reasonable assurance that each of the known issues are locked down or noted as a security risk (based on both how likly it is to happen and how much damage could happen if it was to happen) Then real resorces will be spent to fix those problems brought up. Of course even then the fix could have its own holes generating additional problems.
No accounting auditor will tell you that there audit is 100% foolproof, computers should not be any differnt.
[ link to this | view in chronology ]
Re:
"The data belonged to card transactions that CardSystems had retained on its system and stored in unencrypted format, both violations of CISP standards"
This could indicate 2 things, 1 that Savvis did an underwhelming job during the audit, or that after the audit CardSystems dramatically altered its infrastructure in such a way that data that once sat in an encrypted state OFF its own systems now do. As someone who manages a fairly large infrastructure I find it difficult to believe that CardSystems drastically altered its systems in a 1 year +/- timeline (Audit Certification date to Hack Discloser), corporate red tape being what it is and all.
Considering some of the points in the article such as "Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway." seems to indicate that there are some lackluster audits going on.
[ link to this | view in chronology ]
Apply elsewhere!
A security auditor can't be held responsible for all the passwords of a company. Sure you can set up restrictions on length, complexity, usage, expiration. But it user1234 has Password1! which meets the standard then that can't be your fault. Or what if Sally has her passwords written on a piece of paper attached to the bottom of her keyboard. You can yell at your employees all you want and post a million and one security notices about best practice for computer security but in that situation it's up to the user to do the right thing.
Technology progresses at an ever quickening pace, security is usually two steps behind. There is no such thing as a hack proof, virus proof, anything proof system... except the one that is never turned on, never plugged in and never used and has a blank hard drive and a corrupted BIOS.
[ link to this | view in chronology ]
Depends on Contract
The parties can already sign up for any type of liability sharing they wish.
An audit is just one of the many things you have to do to improve your security. And the responsibilities of the auditor are generally spelled out in the contract.
Data security is *always* the data owners responsibility (shared responsibility = *no* responsibility). If the data owner needs more security, then *they* need to hire the right people, sign the right contracts, and hold the right people accountable.
The lawsuit should happen for its fact finding. But it will probably settle in favor of Savvis, unless the contract strongly implied some sort of guarantee of security (doubtful - no sane auditor would sign such a contract).
Looks to me like CardSystems f'd up. And now they're looking for someone to blame. If they hired a shoddy auditor, that's their fault. If they wrote a poor contract with their auditor, still their fault.
[ link to this | view in chronology ]
Card Systems
[ link to this | view in chronology ]
Read the Story First
Here's a simple scenario: you buy a used car from a dealer that gives you a Carfaxx report that shows that the card had never been in an accident. On your way home, the axel falls off. The previous owner admits the car had been rear-ended before he traded it in to the dealer. Carfaxx has harmed you. That's who you sue. Same case with Savvis.
You may disagree with the idea that Carfaxx (or Savvis) owes you anything. That's fine. But general comments about accounting aren't very enlightening and seem to indicate that some people just love to give their opinions without understanding the story.
[ link to this | view in chronology ]
They are getting paid to go an extra mile on top of what in house IT team achieves.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
No they are getting paid to make sure what the in house IT team achieved actually works. Security auditors only provide security in the sense they are around to verify IT's work.
[ link to this | view in chronology ]
Audits have vary good records kept for just this reason, and those are turned in to the company requesting the audit (in fact you dont give the paperwork you dont get paid) As such the report could say that file storage was checked secure to some standard. To prove the case company will have to say that the auditor lied OR the auditor did not fufil the contract. The first one would be a easy case, the 2nd one would be much harder given the report was turned in and signed off as complete then later on something bad happend and there attempting to assign blame.
Liability contracts are a bad thing for anything short of not doing the damm job. The contract for the job will spell out in black and white what needs to be checked and backup paperwork needs to be done to ensure it was checked. So unless the contract said,"all file systems with sencitive data are safe even if physicaly stolen by a 3rd party" (or something like that) AND the auditor said yes thay are when it turned out that no it was not there is not much case AND there was an approved way signed off by the client for the auditor to follow.
Sadly auditors are one job where you must cover your own ass.
[ link to this | view in chronology ]
doesnt work like that
lawsuit will go nowere Savvis never said data is secure it only said:
the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices.
which has nothing to do with Data breach:
-Everyone (or at least most ppl) know that its impossible to have a 100% secure system.
-Savvis never rated security of system, it simply said system is with in the norm.
so unless that system was below standard (and some1 can prove that) Savvis has no liability what so ever.
[ link to this | view in chronology ]
Software/security audits are a sham...
[ link to this | view in chronology ]
the lawsuit itself
What the lawsuit on auditor's negligence is telling is something completely different and it's mostly about CardSystems:
1. They are either incompetent and have thus implemented sub-standard security practices and did not know that they are really sub-standard. Yeah, it's exclusively the auditor's job to first tell us that, right.
2. They are not able to find or recognize a competent security auditor or notice, that the auditor just grabbed the money and performed a quick stage show.
3. If they are ever able to actually prove negligence on the auditor's side, why the hell did we not raise this as an issue before data was stolen? Great management, when such important data is lost somewhere in internal power struggles.
[ link to this | view in chronology ]
Interesting..
It seems the best practices weren't good enogh.
[ link to this | view in chronology ]
The other possible cause of the breach is that the practices were not always followed. Most security audits just check what safeguards are in place as far as policies and procedures go. If they aren't always followed, an auditor may not know that.
[ link to this | view in chronology ]
Aligning incentives
Perhaps some sort of bonding could be done, or some sort of limited liability.
"Auditor assumes $100,000 liability in case this system is found to not hold best practices within 1 year of this report." Twiddle the incentive knobs a little bit on the duration and liability and you might have a decent inspection.
[ link to this | view in chronology ]
If their contract spelled it out that they would be liable, then that is one dead company.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]