The recent Wired article In Legal First, Data-Breach Suit Targets Auditordiscusses how a credit card company is suing the company that performedtheir security audit.  The problem is that the credit card company wastold that it was CISP (Cardholder Information Security Program)compliant, when it really wasn't.  Per visa.com,"CISP is intended to protect Visa cardholder data–wherever itresides–ensuring that members, merchants, and service providersmaintain the highest information security standard" (CISP has sincebeen replaced by the PCI (Payment Card Industry) standard.)  Thelawsuit was triggered by the theft of 263,000 card numbers from thecredit card company.  So if the plaintiff wastruly CISP-compliant, does that mean there is no way the theft wouldhave occurred?  Was the credit card company lulled into a false senseof security due to the bogus CISP certification?

There are two sides to this:

• Thecredit card company relied on the auditing company (perhaps too much)to tell them if they were CISP compliant or not, and to advise them onhow to make their systems secure from theft
• The auditingcompany made an agreement with the customer to adequately review theirsystems for possible threats (include card number theft), makerecommendations, and use the CISP requirements as their yardstick.

Sowho failed here?  The auditing company may be guilty of false advertingand under-performing the contract.  The credit card company may beguilty of not having adequate in-house security staff to keep theirsystems secure.  Regardless, precedent will be set if it is determinedthat indeed the bogus CISP rating by the auditing company contributedto the security incident. 

Is this kind of case good or bad for the security certification industry?  Perhaps good, because:

• Certification issuers will be reminded of the potential cost of rewarding a certification to an ill-qualified candidate
• Companiesholding sensitive data must take ownership of their security, and notrely too much on external organizations to handle it for them
• It's a wake-up call to everyone involved

I think the credit card company is ultimately responsible. But as quoted in the Wired article, "...there needs to be mechanismsdeveloped to hold auditors accountable for the accuracy of theiraudits.”  True.  Because a reciprocal obligation to demonstrate qualityexists between the certificate holder and certificate issuer, for onerepresents the other.  And we are all accountable professionally--andsoon, perhaps legally as well.




More...