June 04, 2009

Savvis Case Raises Specter of Professional Liability for Security Consultants

Over at the InfoSecCompliance blog, David Navetta is leading a very interesting discussion on the topic of whether an information security consulting company that certified a credit card processor's compliance with VISA's former Cardholder Information Security Program (CISP) can be held liable under negligence and negligent representations theories to a third-party who allegedly relied upon the certification when deciding to do business with the credit card processor.

That's a mouthful, but essentially we are talking about professional tort liability to third parties, similar to the kind of liability shouldered by the accountanting and legal professions. In the case under discussion, Merrick Bank Corp. v. Savvis Inc., No. 09-1088 (E.D. Mo. complaint filed May 12, 2008), the plaintiff is alleging that it suffered $16 million in losses because it relied on the defendant's determination that CardSystems Solutions Inc. was CISP-compliant when, in fact, it was not. CardSystems suffered a massive data breach in 2005, affecting over 40 million credit cards.

Navetta's post is worth reading in you are in the information security field.

There are a couple reasons to be skeptical whether this case will actually answer the interesting legal questions posed by the complaint. First, CardSystems Solutions is in a liquidation bankruptcy (D. Ariz., No. 09-86), with Merrick Bank as one of its many claimants, thereby creating mixed motives among two of the key players. Second, the complaint has apparently been transferred to the District of Arizona and consolidated with two very similar 2008 actions by Merrick Bank against Savvis in the Eastern District of Missouri. In the first complaint (No. 08-674), Merrick Bank asserted negligence and negligent misrepresentation claims as an assignee of CardSystems. In the second complaint (No. 08-675), Merrick Bank asserted the same claims on its own behalf. These two complaints were transferred to the District of Arizona in December 2008, due to the fact that still other, related claims were pending in that district and the fact that Cardsystems data operations were located in Arizona.

The case can now be found in the District of Arizona under Merrick Bank Corp. v. Savvis Inc., No. 08-2233.

Update: The Wired Threat Level blog has a nice story on the lawsuit, pulling in some other views on the value of security certifications.

Follow me on Twitter at @bnatechlaw

Posted by Thomas O'Toole on June 04, 2009 in Network Security | | Comments (0)

Technorati Tags: , ,

April 10, 2009

Competing Visions of Cybersecurity Solution At RSA

This should be interesting. From the agenda at the big RSA Conference in San Francisco in a few weeks, Microsoft's Scott Charney will be giving a talk entitled "Moving Towards ‘End to End Trust’: A Collaborative Effort," followed by NSA Director Lt. Gen. Keith B. Alexander's talk on "Securing Our Government Networks." America, where do you want to go today?

Follow me on Twitter at @bnatechlaw

Posted by Thomas O'Toole on April 10, 2009 in Network Security | | Comments (0)

Technorati Tags: , , ,

Subscribe to this blog's feed

Twitter Updates

    follow me on Twitter

    Recent Posts

    Recent Comments

    Notice to Subscribers

    Categories

    Archives

    More...

    Copyright

    About