Sueing the auditor? Sure!
The PCI-DSS world has just gone mad this week after Merrick Bank decided to sue Savvis, who gave a clean bill to the well known service provider CardSystems, responsible for a huge breach that lead to thousands of card numbers being stolen.
It is an interesting outcome and raises a series of questions about whether it’s valid/reasonable to sue an auditor after a breach. Some PCI specialists promptly said it should not happen, as the auditor report is related only to a specific point in time and cannot be taken as a guarantee that nothing will happen on that environment. However, I believe that there are situations that could lead to a lawsuit like that.
If the breach happened through something that goes against a PCI requirement and it was there at the time of the audit, it was probably something that should have been identified by the auditors, so they screwed up.
- “please show me where I’m screwing up”
- “don’t worry you are ok, go for it!”
…something happens…you’ve just opened a can of worms!
Can you show that it was something that the auditors should have found? Was it there at that time? Have you answered properly all questions?
There are other interesting situations – things tested by sampling, incorrect scope definitions, among others.
PCI is suffering from the same pain that SOX suffers…but it will be easier to deal with as it is more prescriptive. Auditors now need to be even more careful about their methodologies – are they doing sampling properly? Are they being careful about the definition of the audit scope? Are they properly registering the answers provided by the audited
organization? That’s how they need to work to protect theirselves from being sued by compromised clients. That and raising their prices to build a reserve for eventual legal expenses. One can expect PCI audits to become more expensive
if the trend is confirmed.
An interesting outcome is that for companies being audited, this is an additional reason to be completely transparent during a PCI audit. If you have the option to sue the auditor later, you should do everything to ensure that they won’t miss anything because of your actions and answers, as this would release them from the liability.
Also, another player will become extremely important, the forensics guy. He’ll be the one that will have to go through all the evidence from the breach investigation and from the audit process to check whether it’s case for a lawsuit.
Auditors trying to protect theirselves by being more efficient, audited companies protecting theirselves by being more transparent. Bad auditors paying for their incompetence. Aren’t these good reasons to allow those lawsuits to happen?
This will open the floodgates and bring anyone involved with pci scope systems more sleepless nights, wait and see.
Come on people play the blame game because if you follow this standard there is no possible way you can get compromised, i know this as actual fact because people who cant program a video recorder told me so.
On a plus note this will mean that all those blaggers in auditing and compliance will have to work for their money and maybe even learn what those buzz words that explode out of their asses in meetings mean.
July 14, 2009 @ 7:48 am