Banks' suit in Target breach a 'wake up call' for companies hiring PCI auditors

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/news/2014/032714-banks39-suit-in-target-breach-280133.html

A lawsuit filed by two banks against Target and Trustwave Holdings, the
retailer's security assessor and service provider, could lead to more
rigorous evaluations of a company's security for protecting payment card
data, experts say.

Trustmark National Bank and Green Bank N.A. sued Target and Trustwave in
federal court in Chicago Monday, accusing them of negligence and other
misdeeds in the massive data breach that occurred at Target stores last
December.

The suit, which seeks class-action status, seeks damages from losses the
banks suffered in canceling and reissuing credit and debit cards following
the loss of 10s of millions of payment card numbers from Target's computer
systems.

The lawsuit is one of the few times banks have tried to hold a security
auditor partly responsible for a breach. In this case, the plaintiffs are
suing Trustwave for failing to catch security problems while validating
Target's compliance with the Payment Card Industry Data Security Standard.

The suit also accuses Trustwave of helping to make the breach possible by
later failing to spot vulnerabilities in Target's network. Target hired
Trustwave as its PC auditor and its security service provider.

"It's a significant development because auditors and security technology
companies have never previously faced liability for failing to detect or
mitigate breaches," Jacob Olcott, manager of the cybersecurity practice at
consultancy Good Harbor Security Risk Management, said Wednesday.

"It certainly raises the bar for auditors, who may modify their auditing
practices to enhance the scrutiny of the companies they audit."

Indeed, Lisa Sotto, chair of the global privacy and cybersecurity practice
of the law firm Hunton & Williams, said qualified security assessors (QSAs)
could take a step back and review how they conduct their audits.

"The QSAs would be wise to pay attention to this and to ensure that there's
appropriate rigor in their assessments," Sotto said.

Some assessors are more "check the box" and less rigorous, while others are
extremely thoroughly, she said. Less diligent QSAs will sometimes cut
corners in order to keep prices competitive.

"The cost pressure results in probably less time than may be needed to do
an appropriate assessment," Sotto said.

Avivah Litan, analyst for Gartner, recommended that companies hire separate
vendors to do PCI audits and manage security. Hiring one company to do it
all is "not a clean business practice," she said.

"Hopefully, this lawsuit will serve as a wake up call to companies that
have to comply with PCI," Litan said. "They should use assessors that
aren't selling security services and are really experts just in the
auditing and are giving a very independent opinion."

The suit could also have an impact on negotiations between companies and
security service providers, with each side becoming clearer where their
responsibilities begin and end, Christine Ferrusi Ross, analyst for
Forrester Research, said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!