Thursday, December 10, 2009

Heartland Lawsuit Dismissed - Secure Enough

A lawsuit initiated by shareholders against Heartland Payment Systems was dismissed on Monday. The judge ruled that the plaintiffs didn't prove their case that Heartland lied about their security measures that were in place. The story can be found on the StorefrontBacktalk blog "Heartland Lawsuit Dismissed, 'Insufficient Evidence' Of Weak Security."

There is a very interesting quote by the judge on the third page of this article: "The fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security.’ It is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome..." Juxtapose this statement to comments from Adrian Phillips, Visa International’s Deputy Chief Enterprise Risk Officer and Regional Head of Risk for North America: "No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach." I go further in stating that when push comes to shove, in one way or another, all breaches will be found to be compliance failures. Not because companies are ignoring PCI, but because the fact that PCI is so all-encompassing that it's impossible to be in compliance 100% of the time. Hackers are like terrorist in the fact that hackers only need to be successful one time whereas merchants need to be secure 100% of the time.

The reason I found this interesting is that it appears that the judge in this case is distinguishing between security and compliance, and rightfully so. I think "best effort" is what is missing with PCI, at least in terms of compliance. There should be some "best effort" allowances otherwise some unscrupulous stakeholders in the industry will view PCI as nothing more than a revenue generation scheme upon a breach (a breach, cool, free money!). Unfortunately, I think there are some in the industry already treating breaches this way.

Now that there is precedence separating security from compliance, will this change the landscape? Or will it just change the wording of the plaintiff's complaints; instead of "did not do all they could to be secure," you might see "did not do all they could to be compliant."

No comments:

Post a Comment