The recent Wired article In Legal First, Data-Breach Suit Targets Auditor discusses how a credit card company is suing the company that performed their security audit. The problem is that the credit card company was told that it was CISP (Cardholder Information Security Program) compliant, when it really wasn't. Per visa.com, "CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard" (CISP has since been replaced by the PCI (Payment Card Industry) standard.) The lawsuit was triggered by the theft of 263,000 card numbers from the credit card company. So if the plaintiff was truly CISP-compliant, does that mean there is no way the theft would have occurred? Was the credit card company lulled into a false sense of security due to the bogus CISP certification?
There are two sides to this:
- The credit card company relied on the auditing company (perhaps too much) to tell them if they were CISP compliant or not, and to advise them on how to make their systems secure from theft
- The auditing company made an agreement with the customer to adequately review their systems for possible threats (include card number theft), make recommendations, and use the CISP requirements as their yardstick.
So who failed here? The auditing company may be guilty of false adverting and under-performing the contract. The credit card company may be guilty of not having adequate in-house security staff to keep their systems secure. Regardless, precedent will be set if it is determined that indeed the bogus CISP rating by the auditing company contributed to the security incident.
Is this kind of case good or bad for the security certification industry? Perhaps good, because:
- Certification issuers will be reminded of the potential cost of rewarding a certification to an ill-qualified candidate
- Companies holding sensitive data must take ownership of their security, and not rely too much on external organizations to handle it for them
- It's a wake-up call for everyone involved
I think the credit card company is ultimately responsible. But as quoted in the Wired article, "...there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits.” True. Because a reciprocal obligation to demonstrate quality exists between the certificate holder and certificate issuer, for one represents the other. And we are all accountable professionally--and soon, perhaps legally as well.
