Friday, June 5, 2009
Sueing the auditor? Sure!
The PCI-DSS world has just gone mad this week after Merrick Bank decided to sue Savvis, who gave a clean bill to the well known service provider CardSystems, responsible for a huge breach that lead to thousands of card numbers being stolen.It is an interesting outcome and raises a series of questions about whether it's valid/reasonable to sue an auditor after a breach. Some PCI specialists promptly said it should not happen, as the auditor report is related only to a specific point in time and cannot be taken as a guarantee that nothing will happen on that environment. However, I believe that there are situations that could lead to a lawsuit like that.If the breach happened through something that goes against a PCI requirement and it was there at the time of the audit, it was probably something that should have been identified by the auditors, so they screwed up.- "please show me where I'm screwing up"- "don't worry you are ok, go for it!"...something happens...you've just opened a can of worms!Can you show that it was something that the auditors should have found? Was it there at that time? Have you answered properly all questions?There are other interesting situations - things tested by sampling, incorrect scope definitions, among others.PCI is suffering from the same pain that SOX suffers...but it will be easier to deal with as it is more prescriptive. Auditors now need to be even more careful about their methodologies - are they doing sampling properly? Are they being careful about the definition of the audit scope? Are they properly registering the answers provided by the auditedorganization? That's how they need to work to protect theirselves from being sued by compromised clients. That and raising their prices to build a reserve for eventual legal expenses. One can expect PCI audits to become more expensiveif the trend is confirmed.An interesting outcome is that for companies being audited, this is an additional reason to be completely transparent during a PCI audit. If you have the option to sue the auditor later, you should do everything to ensure that they won't miss anything because of your actions and answers, as this would release them from the liability.Also, another player will become extremely important, the forensics guy. He'll be the one that will have to go through all the evidence from the breach investigation and from the audit process to check whether it's case for a lawsuit.Auditors trying to protect theirselves by being more efficient, audited companies protecting theirselves by being more transparent. Bad auditors paying for their incompetence. Aren't these good reasons to allow those lawsuits to happen?