MUST Read: ”Who is Minding the Legal Risk around PCI?” by David Navetta

Initially this was supposed to go into my next Security Reading review, but as I was reading the paper I was getting more and more excited about it [please don’t tell me I am weird because of it :-)]

A very, very good read by David Navetta  ”Who is Minding the Legal Risk around PCI?”  [PDF]

It’s official, this paper  gets my “Exudes Pure Awesomeness!” of the 1st degree award.

Quotes:

“In the PCI context, plaintiffs can allege negligence by arguing that a merchant handling payment card data has a duty to protect such data, and that the PCI Standard is evidence of what merchants must do to achieve “ordinary care” or “reasonable security.” If the merchant suffers a security breach exposing payment card data, the failure to comply with PCI would arguably amount to a breach of that duty.”

“Since TJX there have been several lawsuits filed against organizations that had been validated PCI-compliant at the time of the breach. It can be expected that plaintiffs  and courts in these suits are going to finely scrutinize every decision, practice, and interpretation around the stated PCI validation. The plaintiffs’ hope will be to discover that these merchants were not actually PCI-compliant despite the validation.“

However!

“Actual PCI compliance, however, does not necessarily absolve an organization from liability in the negligence context. In fact, PCI, as an industry standard, should be  viewed as the minimum or floor in terms of what a court will consider “reasonable security.”” and “Security professionals and organizations need to know that when
determining which controls to implement to protect cardholder data, PCI compliance may not be enough in a court of law.” (and, obviously, not enough “in the trenches”)

“However, the Federal appellate court in Sovereign Bank v. B.J. Wholesale Club & Fifth Third Bank, No. 06-3392/3405 (3rd Circuit, July 13, 2008) has allowed an issuing bank’s breach of contract claim to continue against a merchant bank that sponsored a merchant.” (even though issuing bank’s name was not on a contract)

“The Minnesota [PCI DSS-based] law (potentially others if they pass) provides a direct path to liability based in part on whether an entity was PCI-compliant.”

“One of the biggest challenges faced by organizations is resolving ambiguities in the PCI Standard as written and especially s applied to a particular organization or environment. Unfortunately, as PCI becomes a legal standard, the ambiguities arising out of the PCI Standard could increase the risk of legal liability.”

“In other words, being right on your judgment call [e.g. about the compensating control] at the end of the day will not necessarily eliminate legal risk, especially in the face of breach that has already occurred.  The problem is further complicated because there is no definitive way to resolve ambiguities under the PCI system.” (and, no, it is not always the QSA)

My fave part:

“Legally risky PCI practices:

#1 QSA shopping – With hundreds of qualified security assessors of varying sizes, sophistications, and skills, some companies will shop for the cheapest QSA that will validate their compliance in the least expensive and least painful way. […]

#2 Rubber stamping -  Another legally risky practice is “rubber stamping”: essentially failing to analyze actual security and simply treating PCI compliance like a facile  checklist. In short, when QSA shopping occurs, rubber stamping is what can result.

#3 Scoping - The legal risk posed in this instance is obvious: if a breach occurs with respect to part of a cardholder environment that did not have proper PCI controls [since it was deemed ‘out of scope’] in place, this fact will be used against the organization in court.”

“Another key point that could increase the legal risk associated with PCI is the potentially false sense of security that can arise after being validated PCI-compliant. Validation does not necessarily equal compliance with PCI or “reasonable security” under the law.”

“Until much more is learned about how alleged “safe harbors” [something that allows them to claim ‘compliant + breached –> not liable’] work, and until service providers and merchants have a legal  mechanism to actually enforce “safe harbor,” organizations should not assume they are protected.”

“Despite its security-centric origins, PCI compliance is posing increased legal risk. For organizations with a strong risk management ethos the approach to PCI compliance will likely involve a legal perspective and risk analysis.”

Read it now, whether you are a “PCI optimist”, “PCI pessimist” or a “PCI ambivalent-ist” :-) Something for everybody in there!

Technorati Tags: PCI DSS,PCI,compliance,security,legal,risk

RIAA Scum Beaten Back in Court

Wow, this is impressive and kind of "against the tide." It looks like you CAN win against RIAA in court....

Is This How Security Will Be Improved?

"Davidson Cos. Sued for Negligence in Data Breach: Lawsuit confirms that companies can be held liable for failing to provide adequate security" (source)

"A Billings, Mont., law firm has filed a class-action lawsuit in federal court against Davidson Companies, claiming the company was negligent when it allowed a hacker to penetrate its systems, resulting in a data security breach and the exposure of some 226,000 customer records, according to a report."

This will be immensely fun to watch! So, for those companies that didn't start paying enough attention to security after viruses, then worms, then SOX, then PCI DSS, than bots, then data loss, then data theft, how about a threat of a nice cold lawsuit? Will it be enough to pay attention?

Well, we will see soon :-)

CA Next Generation Breach Law

As reported, California is close to passing is next-generation breach law, "Consumer Data Protection Act", that "would require retailers to reimburse banks and credit unions for the costs of data breaches."

Wow! This does sound like the next step in the onslaught of compliance mandates. And, retailers will finally stop bitching and start working on those PCI projects :-)

Inspired by Tor - Think!

So, inspired by the recent Tor story (this and many others), here is something to think about:

1. You buy a PC and connect to Internet (pay for your own connection)
   
2. Download and install Tor
3. Monitor it (full packet cap) in violation of its license, but in compliance with your policy
   
4. See what looks like a secret email from somebody
   
5. Grab the email and send it to a journalist
6. Ooops! :-)
   

So, the question is: is this legal? can you be sued regardless? would you do it?

P.S. similar discussion kinda occurred on the Honeynet Project internal list about a year ago and the results were ... well, inconclusive at best.

Tina Bird's Logs and Law Summary

Here is the most comprehensive summary of all legal, regulatory, policy and other guidance documents that mention logging, created and maintained by none other than Tina Bird, who seem to be back in logland full time :-)

From Basel II to Common Criteria all the way to SOX.

On "No Harm - No Foul" Insanity

TechDirt reported this a few days ago: "Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it."

So, let's try this for size, folks :-)

a. I borrowed your car when you were away (by picking the lock) and then returned undamaged. I also put the gas in. No car theft here, right?

b. I came to a store and took a TV without paying for it. I just watched a show and returned it. No crime, right?

I did think that the trend is to sync the online world with the offline, but it appears that this ruling goes in the opposite direction...