Graves Concerns

There’s a new variety of post-breach lawsuit. We’ve seen consumers sue merchants, banks sue merchants, and banks sue banks. Now, a bank has sued an IT consulting firm for certifying CardSystems as CISP compliant. Professional malpractice suits are nothing new in medicine or law practice, but we have not yet seen many security consultants sued for malpractice. That may change as standards and certification become more important.

CardSystems was a payment processor that experienced a massive security breach in 2005. Intruders compromised tens of millions of credit card numbers, leading to millions of dollars in fraudulent charges. In the wake of the breach, banks canceled and re-issued thousands of credit cards. Mastercard and Visa terminated their contracts with CardSystems, and CardSystems eventually filed for bankruptcy. It was the first example of a data breach killing a major company.

Merrick Bank is an acquiring bank, which means that it contracts with merchants to handle their credit card sales. Merrick used CardSystems to process those payments. Because the card association operating agreements make acquiring banks reimburse losses created by card processors, Merrick paid about $16 million to the associations after the CardSystems breach.

But Merrick does not just blame CardSystems for the breach. It also blames Savvis, the IT consulting firm that certified CardSystems’s compliance with Visa’s Cardholder Information Security Program (CISP). In May 2008, Merrick sued Savvis for negligence and negligent misrepresentation in certifying CardSystems as CISP compliant. Last week, the federal district court in Missouri transferred the case to Arizona and joined it with some similar cases, which is why a year-old case is being reported as if it were new.

New or not, the lawsuit is another example of an unfortunate tendency to equate compliance with security. I blogged before about a PCI DSS trainer who said that no one who was PCI DSS compliant had ever been breached—implying, if not directly stating, that PCI DSS compliance creates perfect security. Unfortunately, that seems to be the official line: Robert Russo, Director of the Payment Card Industry Data Security Standards Council, said much the same thing in Congressional testimony in March (p. 8: “[No] entity that has been subject to a data breach . . . was also in full compliance with the PCI DSS at the time of the breach”). Calling something a magic cure-all is a sure sign of snake oil; the PCI Council would do well to stop selling PCI DSS as a magic elixir.

Security assessment malpractice suits could have a long-term effect on the way assessments are conducted. Version 1.1 of PCI DSS started allowing compensating controls that permit compliance even when some requirements are not met. An assessor that requires strict adherence to PCI DSS requirements, with no allowance for compensating controls, can always point to those requirements when faced with a negligence claim. But when an assessor certifies compliance using compensating controls, it exercises more independent judgment, creating room for a negligence claim. The result could be less use of compensating controls.

There could also be some positive effects. Compliance requirements without liability for assessors make it too tempting for both parties to rush through the process. Sloppy consultants will assess as quickly as possible then hop to the next paying assessment. Some clients, more interested in the certification than security, will shop for the lowest-priced certification they can find. Not all assessments are like that, but security certifications make them more likely. Malpractice liability gives the consultant something to think about other than how quickly he can get paid for calling someone secure. But even security consultants who do things right need to be careful about how they structure engagement contracts, because these lawsuits will probably become more common.

One lesson for security consultants, and especially PCI assessors, is to be careful with engagement contracts. Savvis is not being sued by a client, but by a customer of a client—someone with whom Savvis had no contractual relationship. A limitation of liability and disclaimer of warranty have no force against someone who is not a party to the contract. A consulting firm would therefore want an indemnification clause in its contract, which would require the client to protect the consultant against anyone else in a claim arising from the engagement. But indemnification clauses aren’t always possible, and the client probably wants the assessor to indemnify it.

Of course, the risks are lower if the negligence claims fail. Negligence cases against processors and merchants have not fared well overall; it would seem even harder to recover against an assessor who certified a breached organization. The assessor could always raise the “Richard Russo defense” by blaming the breached organization for post-assessment changes. The basic negligence case is also harder: the plaintiff would have to show not only that the breached organization was negligent, but that the assessor knew or should have known that the breached organization was non-compliant at the time of the assessment, and that certification of the organization rose to the level of negligence. Proximate cause is probably harder to show, because the causality chain is the breached organization’s chain plus whatever was wrong with the assessment. Apportionment of fault could also be an issue: how much fault lies with the assessor for certifying compliance, and how much lies with the company for being non-compliant? The answer would be fact-specific, but the issues suggest that a case against an assessor would not be an easy win.

Issues like these are probably why PCI DSS assessors must carry cyber-risk and privacy liability insurance (QSA Validation Requirements v.1.1a, p. 40). The more people think that certification is all there is to security, the more the firms who provide those certifications will have to deal with lawsuits like these.