IT Consulting Firm Sued for Certifying CardSystems as CISP Compliant

There’s a new variety of post-breach lawsuit. We’ve seen consumers sue merchants, banks sue merchants, and banks sue banks. Now, a bank has sued an IT consulting firm for certifying CardSystems as CISP compliant. Professional malpractice suits are nothing new in medicine or law practice, but we have not yet seen many security consultants sued for malpractice. That may change as standards and certification become more important.

CardSystems was a payment processor that experienced a massive security breach in 2005. Intruders compromised tens of millions of credit card numbers, leading to millions of dollars in fraudulent charges. In the wake of the breach, banks canceled and re-issued thousands of credit cards. Mastercard and Visa terminated their contracts with CardSystems, and CardSystems eventually filed for bankruptcy. It was the first example of a data breach killing a major company.

Merrick Bank is an acquiring bank, which means that it contracts with merchants to handle their credit card sales. Merrick used CardSystems to process those payments. Because the card association operating agreements make acquiring banks reimburse losses created by card processors, Merrick paid about $16 million to the associations after the CardSystems breach.

But Merrick does not just blame CardSystems for the breach. It also blames Savvis, the IT consulting firm that certified CardSystems’s compliance with Visa’s Cardholder Information Security Program (CISP). In May 2008, Merrick sued Savvis for negligence and negligent misrepresentation in certifying CardSystems as CISP compliant. Last week, the federal district court in Missouri transferred the case to Arizona and joined it with some similar cases, which is why a year-old case is being reported as if it were new.

New or not, the lawsuit is another example of an unfortunate tendency to equate compliance with security. I blogged before about a PCI DSS trainer who said that no one who was PCI DSS compliant had ever been breached—implying, if not directly stating, that PCI DSS compliance creates perfect security. Unfortunately, that seems to be the official line: Robert Russo, Director of the Payment Card Industry Data Security Standards Council, said much the same thing in Congressional testimony in March (p. 8: “[No] entity that has been subject to a data breach . . . was also in full compliance with the PCI DSS at the time of the breach”). Calling something a magic cure-all is a sure sign of snake oil; the PCI Council would do well to stop selling PCI DSS as a magic elixir.

Security assessment malpractice suits could have a long-term effect on the way assessments are conducted. Version 1.1 of PCI DSS started allowing compensating controls that permit compliance even when some requirements are not met. An assessor that requires strict adherence to PCI DSS requirements, with no allowance for compensating controls, can always point to those requirements when faced with a negligence claim. But when an assessor certifies compliance using compensating controls, it exercises more independent judgment, creating room for a negligence claim. The result could be less use of compensating controls.

There could also be some positive effects. Compliance requirements without liability for assessors make it too tempting for both parties to rush through the process. Sloppy consultants will assess as quickly as possible then hop to the next paying assessment. Some clients, more interested in the certification than security, will shop for the lowest-priced certification they can find. Not all assessments are like that, but security certifications make them more likely. Malpractice liability gives the consultant something to think about other than how quickly he can get paid for calling someone secure. But even security consultants who do things right need to be careful about how they structure engagement contracts, because these lawsuits will probably become more common.

One lesson for security consultants, and especially PCI assessors, is to be careful with engagement contracts. Savvis is not being sued by a client, but by a customer of a client—someone with whom Savvis had no contractual relationship. A limitation of liability and disclaimer of warranty have no force against someone who is not a party to the contract. A consulting firm would therefore want an indemnification clause in its contract, which would require the client to protect the consultant against anyone else in a claim arising from the engagement. But indemnification clauses aren’t always possible, and the client probably wants the assessor to indemnify it.

Of course, the risks are lower if the negligence claims fail. Negligence cases against processors and merchants have not fared well overall; it would seem even harder to recover against an assessor who certified a breached organization. The assessor could always raise the “Richard Russo defense” by blaming the breached organization for post-assessment changes. The basic negligence case is also harder: the plaintiff would have to show not only that the breached organization was negligent, but that the assessor knew or should have known that the breached organization was non-compliant at the time of the assessment, and that certification of the organization rose to the level of negligence. Proximate cause is probably harder to show, because the causality chain is the breached organization’s chain plus whatever was wrong with the assessment. Apportionment of fault could also be an issue: how much fault lies with the assessor for certifying compliance, and how much lies with the company for being non-compliant? The answer would be fact-specific, but the issues suggest that a case against an assessor would not be an easy win.

Issues like these are probably why PCI DSS assessors must carry cyber-risk and privacy liability insurance (QSA Validation Requirements v.1.1a, p. 40). The more people think that certification is all there is to security, the more the firms who provide those certifications will have to deal with lawsuits like these.

Published in: on May 27, 2009 at 7:07 pm  Comments (1)  

Minnesota and Online Gambling

Minnesota’s Department of Public Safety has sent letters to eleven large ISPs, instructing them to block about 200 online gambling sites. The DPS’s requests are problematic on a number of fronts.

First, the DPS relies on 18 U.S.C. § 1084(d) for its authority. That section gives law enforcement the ability to have phone companies disconnect services used for illegal gambling. The actual language is more complicated than that, of course: there’s a notice requirement before take-down, the alleged gambling operation can still fight the order in court, and it applies not just to phone companies but to any common carrier. And there’s the first problem: ISPs aren’t common carriers. Things might be simpler if they were—the whole “net neutrality” debate would be mostly moot, for starters. But they aren’t. By its plain language, § 1084(d) doesn’t apply to them.

Even if it did apply, there’s another textual problem. The statute says the common carrier must “discontinue or refuse, the leasing, furnishing, or maintaining” of the facility it provides. In short, the common carrier can disconnect its customer. But none of the 200 online gambling sites are likely to be located in the U.S., much less on the ISPs’ networks, so they can’t just disconnect them. That’s why the DPS wants the ISPs to block the sites. But the statute the DPS relies on doesn’t authorize blocking, only disconnection.

One could argue that blocking is merely a less disruptive form of disconnection, but I think that argument should fail. A disconnection order presents straightforward questions of jurisdiction (i.e., is the customer someone the state can tell the common carrier to disconnect?), but those questions are more complicated when blocking sites that aren’t in the country. Because blocking is done by IP address, it’s likely to harm innocent web sites that share the same infrastructure; that’s less of a risk with disconnection. Finally, blocking, unlike disconnection, does not require any relationship between the ISPs and the blocked addresses. A disconnected customer knows he’s been disconnected (even without the notice requirement), and knows who to complain to (and, if necessary, sue for reconnection). If eleven ISPs block a website, the website owner would have to persuade or sue all eleven of them to get them to stop. In short, the mechanics and impact of blocking are quite different from disconnection, and shouldn’t be covered under the same term.

The Minnesota request looks clumsy compared to the New York Attorney General’s similar efforts to have ISPs block child pornography sites. The New York AG wisely tried to avoid problems with state restriction of speech by asking ISPs to block sites voluntarily, with only the subtlest hint that things would not be so pleasant if ISPs refused. But Minnesota came right out and said it: “we are the state, and we’re telling you to do this.” So there’s no question that it’s state action; now the only question is whether it’s unconstitutional. Why would the state do that, when some ISPs have shown that they’re willing to block sites voluntarily?

New York’s AG also made another smart choice: it picked on child pornography, not online gambling. You won’t find many people to defend child pornography, but online gambling has lots of proponents, including the Interactive Media Entertainment & Gaming Association, who just got a new pet cause, and Congressman Barney Frank, who will be introducing legislation to repeal the current three-year ban on online gambling. By targeting gambling, Minnesota ensured that the blocking won’t happen without a fight.

Minnesota seems to be rushing into a battlefield already strewn with the bodies of other would-be blockers. Kentucky’s attempt to take over online gambling domain names was blocked (it’s appealing the decision). In 2002, Pennsylvania tried to force ISPs to block sites with child porn, but that law was struck down as unconstitutional. Interestingly, a remnant of an early failed attempt to regulate Internet speech—the Communications Decency Act—shields ISPs from being held liable for content carried over their networks. With so many failed attempts in the past, it’s no wonder Minnesota had to look to a novel theory of law.

Still, I think the state would have had much less trouble—and as much or more success—if it had followed New York’s lead and just asked nicely.

Update, 5/5/09:I got confused on my voluntary ISP agreements. Qwest’s agreement was with the National Center on Missing and Exploited Children; New York’s Attorney General doesn’t seem to have been involved. New York convinced several ISPs to voluntarily remove some Usenet newsgroup hierarchies, which is a different matter entirely.

Published in: on May 1, 2009 at 11:38 am  Comments (2)  

A Quick Reminder that Not All Identity Fraud Involves Computers

Another day, another breach announcement. No news there, but this one is tied to reports of misuse. A woman was arrested in Irving, Texas in January for “fraudulent use or possession of identifying information and two charges of credit card abuse.” The information she used for the frauds seems to have come from good old-fashioned dumpster diving.

It’s a lesson in the need to shred sensitive information, and a reminder that identity fraud comes from lots of sources, many of which have nothing to do with hacking. It’s also notable because of the time frame: the information came from a benefits report run in 2000, and the 64 people affected all worked with the district in the 2000-2001 school year. So either someone got the report years ago and has slowly been using the data, or (more likely) the report was thrown away relatively recently. Either way, it illustrates how difficult it can be to analyze how data loss leads to fraud: if the suspect hadn’t said where she got the reports, who knows how long it would have taken to find out what these 64 people had in common?

Published in: on April 14, 2009 at 9:09 pm  Leave a Comment  

Too Many Law Schools in Minnesota?

This had nothing to do with data security, but I couldn’t resist the chance to obsess over some numbers. Last week, Mark Cohen at the Minnesota Lawyer blog posted a question that came up in a previous comment thread: are there too many law schools in Minnesota?

Whether we have too many law schools (or, more to the point, law students) is a slippery question. It’s like asking whether we have too many lawyers—it depends on whether you want to be one, or hire one.

I thought it might be interesting to compare the Twin Cities law school situation with other metro areas. Specifically, I wanted to look at two measures:

  1. The number of new law graduates produced in each area per year, as a proportion of the total population of the area, and
  2. The overall matriculation rate of the schools in each area.

The first is a measure of supply, from the legal market perspective—the higher an area’s per capita production of new grads compared to other areas, the more likely it is that the market may be oversaturated. The second measures demand—if far more students apply to schools than attend, there may be demand for more law school seats (from students, if not employers).

The results are listed below, based on data from the 2007 US Census data for primary statistical areas and the LSAC’s Guide to ABA-Approved Law Schools. I combined some of the census’s primary areas where it made sense because of school locations. I included roughly the fifty largest areas (reduced a bit because of combining).

The results confirmed what a lot of people already think: the Twin Cities produces a relatively high number of law school grads compared to its population. The 936 graduates are 264.5 graduates per million in population. Only San Diego, Boston, and Washington, DC put out more law grads per capita. Boston and D.C. are probably net exporters of new lawyers, and D.C. may have more lawyers per-capita than anywhere else. That leaves San Diego as the only metro area producing significantly more law grads per capita than MSP—but note that Los Angeles, just a bit to the north of San Diego, has a particularly low rate of law grad production.

Number of law grads per million population:

Area 2007 Pop Grads/Yr Grads/M
San Diego, CA 2,974,859 1,170 393.30
Boston, (MA/RI/NH) 7,476,689 2,483 332.10
Washington, DC, Baltimore, MD, Northern Virginia 8,241,912 2,735 331.84
Minneapolis/St. Paul & St. Cloud Area, MN/WI 3,538,781 936 264.50
Oklahoma City, Tulsa, OK 2,217,670 585 263.79
Indianapolis, Bloomington, Lafayette, IN 2,423,956 638 263.21
Detroit, Flint, Lansing, & Grand Rapids, MI 7,257,206 1,811 249.55
Columbus , OH 1,982,252 462 233.07
Birmingham, Montgomery, Tuscaloosa, AL 1,811,555 418 230.74
Little Rock, AR 1,277,040 288 225.52
San Francisco-San Jose, CA 7,264,887 1,617 222.58
St. Louis, MO/IL 2,866,517 634 221.17
Albany, NY CSA 1,148,416 251 218.56
New York, NY/NJ/CT/PA 21,961,994 4,777 217.51
Philadelphia (PA/NJ/DE/MD) 6,385,461 1,384 216.74
Milwaukee & Madison, WI 2,353,600 501 212.87
San Antonio, & Austin, TX 3,588,836 750 208.98
Cleveland-Akron-Elyria, OH CSA 2,896,968 599 206.77
Sacramento, CA 2,397,691 487 203.11
Kansas City (KS/MO), Lawrence, & Topeka, KS 2,396,108 472 196.99
Chicago, IL 9,745,165 1,908 195.79
Portland, Eugene, Salem, Corvallis, OR 3,100,110 571 184.19
Denver-Aurora-Boulder, CO 2,998,878 547 182.40
Hartford, CT 1,306,151 238 182.21
Miami, FL 5,413,212 936 172.91
Buffalo, Rochester, Syracuse, NY 3,056,474 519 169.80
Orlando, Jacksonville, St. Petersburg, Sarasota, Gainesville, Tallahassee FL 8,167,737 1,385 169.57
Greenville, Columbia, Charleston, SC 2,615,644 437 167.07
Charlotte-Greensboro-Raleigh, NC 5,448,974 842 154.52
Pittsburgh, PA 2,446,703 375 153.27
Houston, TX 5,729,027 874 152.56
Albequerque, NM 835,120 114 136.51
Salt Lake City & Provo, UT 2,180,009 288 132.11
Atlanta, Athens, Macon GA 6,200,339 809 130.48
Seattle-Tacoma, WA 4,038,741 518 128.26
Richmond, VA 1,212,977 149 122.84
Cincinnati (OH/KY/IN) 2,176,749 267 122.66
Nashville, Memphis, Knoxville, TN 3,911,091 475 121.45
Los Angeles, CA 17,755,322 1,868 105.21
Phoenix, AZ 4,179,427 410 98.10
Dallas-Fort Worth & Waco, TX 6,726,533 626 93.06
Virginia Beach, Norfolk, Newport News, VA-NC 1,658,754 143 86.21
Louisville (KY/IN) 1,369,024 112 81.81
Las Vegas, NV 1,880,449 142 75.51

That’s the supply side. On the demand side, Minneapolis-St. Paul ends up with the tenth highest matriculation rate per application—suggesting that law school applicants are more likely to be able to attend a school in the area than most. Also note that all the areas with higher Grads/Million rates have lower matriculation rates: 8.14% in Boston, 6.32% in DC, and 10.95% in San Diego.

Matriculation as a percentage of applications (the number of applications and matriculations are the total for all schools in the area):

Area Apps Matric. Matric/Apps
Virginia Beach, Norfolk, Newport News, VA-NC 575 153 26.61%
Kansas City (KS/MO), Lawrence, & Topeka, KS 2,960 490 16.55%
Birmingham, Montgomery, Tuscaloosa, AL 2,979 479 16.08%
Oklahoma City, Tulsa, OK 3,524 551 15.64%
Louisville (KY/IN) 1,099 168 15.29%
Pittsburgh 3,190 485 15.20%
Salt Lake City & Provo, UT 1,796 268 14.92%
Greenville, Columbia, Charleston, SC 2,912 421 14.46%
Cincinnati (OH/KY/IN) 2,284 324 14.19%
Minneapolis/St. Paul & St. Cloud Area, MN/WI 7,401 984 13.30%
Buffalo, Rochester, Syracuse, NY 3,584 469 13.09%
Columbus , OH 3,618 439 12.13%
Houston, TX 7,750 938 12.10%
Albany, NY CSA 2,065 246 11.91%
Orlando, Jacksonville, St. Petersburg, Sarasota, Gainesville, Tallahassee FL 17,687 2,055 11.62%
Little Rock, AR 2,597 299 11.51%
Cleveland-Akron-Elyria, OH CSA 5,665 638 11.26%
Milwaukee & Madison, WI 4,378 488 11.15%
Detroit, Flint, Lansing, & Grand Rapids, MI 10,633 1,184 11.14%
San Diego, CA 11,786 1,291 10.95%
San Antonio, & Austin, TX 6,771 729 10.77%
Miami, FL 12,110 1,294 10.69%
St. Louis, MO/IL 6,773 698 10.31%
Indianapolis, Bloomington, Lafayette, IN 7,164 728 10.16%
Portland, Eugene, Salem, Corvallis, OR 5,766 556 9.64%
Albequerque, NM 1,175 111 9.45%
Denver-Aurora-Boulder, CO 5,920 555 9.38%
Dallas-Fort Worth & Waco, TX 6,983 640 9.17%
Las Vegas, NV 1,713 153 8.93%
Seattle-Tacoma, WA 5,769 505 8.75%
Atlanta, Athens, Macon GA 11,799 1,029 8.72%
Richmond, VA 1,886 160 8.48%
Sacramento, CA 6,569 541 8.24%
Boston, (MA/RI/NH) 31,362 2,552 8.14%
Nashville, Memphis, Knoxville, TN 6,334 512 8.08%
New York, NY/NJ/CT/PA 66,008 5,053 7.66%
Hartford, CT 2,824 216 7.65%
Chicago, IL 26,707 1,925 7.21%
Phoenix, AZ 5,827 408 7.00%
Philadelphia (PA/NJ/DE/MD) 18,200 1,247 6.85%
Los Angeles, CA 29,623 1,997 6.74%
Charlotte-Greensboro-Raleigh, NC 14,718 970 6.59%
San Francisco-San Jose, CA 26,219 1,687 6.43%
Washington, DC, Baltimore, MD, Northern Virginia 48,501 3,066 6.32%

This doesn’t prove Minnesota has too many law schools. But it does show that we put out a large number of law graduates for an area of our size, and it’s easier for students to get into a school here than in most cities. Whether that’s “too many” is left as an exercise for the economy.

Published in: on March 9, 2009 at 5:41 am  Comments (4)  

Security is Not a Checklist

In the security profession, we have a maxim that security is not a product. It’s a reminder that security doesn’t result from plugging in devices, but through continuous integration of security into design, development, management, and operations. I’d add another maxim: security is not a checklist.

When I was in QSA training a few years back, our trainer claimed that no one who was PCI DSS compliant had ever suffered a data breach. He hedged this bold statement by suggesting that anyone who had been certified as PCI DSS compliant and later suffered a breach must have fallen out of compliance by the time the breach happened. It was an entertaining exercise in circular logic: PCI DSS prevents security breaches, so obviously anyone who suffered a security breach couldn’t have been PCI DSS compliant.

Well, Heartland Payment Systems, who may have suffered the largest breach in history (giving executives at TJX something to celebrate), was certified as PCI DSS compliant. That suggests at least three possibilities:

  1. Heartland was PCI DSS compliant when they were audited, but fell out of compliance by the time of they were breached;
  2. Heartland wasn’t PCI DSS compliant, but their QSA said they were; or
  3. PCI DSS doesn’t actually prevent compliant organizations from suffering a breach.

Each of the first two conclusions would be reasonable. A PCI DSS assessment is a snapshot in time, and business are constantly changing. And because they are paid by the companies they assess, it’s fair to wonder whether QSAs are truly independent. The third conclusion is more than reasonable, it’s certain: PCI DSS compliance doesn’t guarantee security. That should be obvious. But maybe it’s not.

PCI’s strength and weakness is that it’s a checklist of detailed requirements. Its specificity is an improvement over laws like HIPAA, which calls for protecting against “reasonably anticipated threats” while considering the size of the organization and the costs of the security measures. It’s a flexible approach, but it doesn’t provide many answers. Are firewalls required? Does internal traffic have to be encrypted? It depends.

As a checklist, PCI DSS is more to the point. Companies know exactly what’s expected. They have to have firewalls between untrusted networks and any cardholder data environment (PCI DSS Requirement 1.2), install personal firewall software on laptops (Requirement 1.4), use anti-virus software (Requirement 5.1), and so on. There’s very little “it depends” in the PCI DSS requirements.

But companies sometimes think the checklist is all they need—that once they’ve checked “compliant” next to all the requirements, they’re done (until the next audit rolls around). They fall into the trap of thinking that a checklist item intended to mandate a minimum level of adequate security is also the most they need to do. They forget that being able to answer “yes, we have a process” to a checklist item is not as important as whether that process works. Then, when data is lost, they point to the checklist and ask what more they were supposed to do. That’s when a reasonableness standard starts looking awfully good.

The checklist is necessary, because there’s too much wiggle room and too much ambiguity without one. But just as security is not a product, it is also not a checklist. It is, as always, a process—one that a checklist can inform, and sometimes measure, but never complete.

Published in: on February 16, 2009 at 5:10 pm  Comments (1)  
« Older Entries
Newer Entries »