BreachExchange mailing list archives
Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint
From: security curmudgeon <jericho () attrition org>
Date: Wed, 3 Jun 2009 23:54:30 +0000 (UTC)
http://infoseccompliance.com/2009/06/03/merrick-bank-v-savvis-analysis-of-the-merrick-bank-complaint/ Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint Posted on June 3rd, 2009 by David Navetta The Merrick Bank v. Savvis lawsuit has the potential to change the liabilty dynamic of the PCI regulatory system. The Savvis case is one of the first known instances of a payment card security assessor being sued by a merchant bank ( the merchant bank is a third party relative to the Savvis-CardSystems relationship). The Merrick Bank compliant alleges that it relied on Savvis certification of CardSystems as Visa CISP compliant (this matter pre-dated the PCI standard), and that certification was false. After CardSystems suffered a breach exposing up to 40 million payment card records, Merrick allegedly incurred $16 million in payments to the card brands (which was ultimately transferred to issuing banks who suffered losses arising out of the CardSystem breach). If Savvis is held liable (or even if this case makes it past motion to dismiss or a motion for summary judgment) it has the potential to significantly modify the relative risk of PCI qualified security assessors, and in turn modify the PCI regulatory scheme. This post discusses the two theories of liability alleged by Merrick: (1) negligence; and (2) negligent misrepresentation. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint security curmudgeon (Jun 03)