For the past couple of years, I have been advising clients, asking questions of professionals, and presenting on the fact that there is extremely little (alright none) caselaw on third-party liability when it comes to protecting mission-critical data. That is until now. The payment systems, or credit card processing, industry has had a set of guidelines (26 to be exact) that, if followed, would make the business "PCI Compliant." PCI Compliance is not a law or regulation, it’s Visa, MasterCard, AmEx, and others, attempt to "self-police" the industry from an identity theft perspective. While in theory this sounds good, in actuality, the problem has been that these "auditors" get to say who is "in" and who is "out". The Heartland Payment Systmes and Hannaford data breaches showed just how de facto these guidelines can be. Prior to those breaches, HPS and Hannaford were certified "PCI Compliant," but once the breaches occurred, they were quickly taken off the compliant list (although they can apply for reinstatement in a year). Most analysts saw this as the PCI Council’s (Visa, MasterCard, AmEx, et al) way of disclaiming liabililty in order to avoid being brought in on potential lawsuits.
CardSystems Solutions was hacked into in 2004, and when it was, the executives reached for their audit report. In theory, they should have been safe, because they were given a clean bill of health by their auditor, Savvis, just 3 months earlier. Yet, despite those representations and assurances, the company’s data was breached. The Plaintiff’s attorneys in a class action lawsuit have now brought in Savvis as a defendant to the litigation, and like the article below states, "raises increasingly important questions about not only the liability of companies that handle card data[,] but also the liability of third parties that audit and certify the trustworthiness of those companies." The ripple effect across industries will be overwhelming. Maybe not immediately, but in the near future, you will start to see an increase in the amount of attention paid towards auditing.
To view the article, please click here: In Legal First, Data Breach Suit Targets Auditor