In Legal First, Data-Breach Suit Targets Auditor

In Legal First, Data-Breach Suit Targets Auditor
In Legal First, Data-Breach Suit Targets Auditor

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Kim Zetter 
Threat Level
June 2, 2009

When CardSystems Solutions was hacked in 2004 in one of the largest 
credit card data breaches at the time, it reached for its security 
auditor=E2=80=99s report.

In theory, CardSystems should have been safe. The industry=E2=80=99s primary 
security standard, known then as CISP, was touted as a sure way to 
protect data. And CardSystems=E2=80=99 auditor, Savvis Inc, had just given them 
a clean bill of health three months before.

Yet, despite those assurances, 263,000 card numbers were stolen from 
CardSystems, and nearly 40 million were compromised.

More than four years later, Savvis is being pulled into court in a novel 
suit that legal experts say could force increased scrutiny on largely 
self-regulated credit card security practices.

They say the case represents an evolution in data breach litigation and 
raises increasingly important questions about not only the liability of 
companies that handle card data but also the liability of third parties 
that audit and certify the trustworthiness of those companies.


Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Visit the InfoSec News security bookstore! 


Site design & layout copyright © 1986-2014 CodeGods