Lawsuit Could Refine Liabilities of Security Service ProvidersBy Lawrence Walsh | Posted 2009-06-03 Email Print
A lawsuit against a security auditor and managed service provider could reshape liability exposure for companies that certify end users as being "compliant" with government or industry security standards.
Information security managers and executives have long been held accountable for security incidences and breaches, but what about the people who certify or provide the security? In other words, should auditors and managed security service providers be held accountable for breaches that happen after they’ve signed off on security measures?
That is the question before the courts in the case of the 2005 breach of CardSystems, a credit card payment processor that suffered a theft of more than 40 million credit card numbers, according to a Wired.com report. CardSystems has been certified as compliant with Cardholder Information Security Program (CISP), the precursor to the Payment Card Industry Data Security Standard (PCI DSS). But an incident response analysis discovered that CardSystems wasn’t in compliance with the security standards at the time of the breach.
According to the Wired report, a lawsuit brought by Merrick Bank is moving forward against Savvis, the managed service provider that certified CardSystems as CISP compliant. The lawsuit alleges that Savvis was negligent in certifying CardSystems as secure and bears responsibility. Savvis is a partner of such vendors as Cisco, Microsoft and Helett-Packard.