Compliance audits have become a part of life for most companies these days. Companies have relied on certifications to establish and declare the conformance of the related business processes and internal controls to the various regulatory mandates like Sarbanes-Oxley, PCI-DSS, HIPAA. But incidents of data breach that have occurred, time and again prove that just getting certifications is not be-all-end-all.
In what amounts to a first of its kind – A US bank Merrick sued Savvis following a data breach in 2006 at the bank’s payment processor Card Systems. The claim by the bank was that despite the Cardholder Information Security Program (CISP) certification by Savvis three months prior, unencrypted credit numbers was stolen and bank had to pay fines to the tune of $16M dollars. If this lawsuit stands and Savvis is made accountable for this lapse, this sets a new precedent for future IT Security certifications (or their shortcomings).
In a financial world, auditors have too many shields to protect themselves from liability even after admitting negligence. In case of Arthur Andersen in the Enron scandal, it was held liable for the obstruction justice by shredding related documents and not accounting mistakes or lack of audit oversight (even that too was subsequently overturned if my memory serves me right). That is the limit of my jurisprudence. It is a slightly different story in the personal income tax filing area. The Tax preparer can be held liable as IRS explains. In IT world, it is a little less clear cut. Technology can be really disparate and complicated and might be difficult to ascertain in some cases as to what it does.
That said, here are some good things that came come out this. Unlike Financial Accounting where both sides (companies and auditors) have qualified individuals that can interpret the law and cannot claim ignorance, in IT world most companies, instead of wrestling with the vagarities of the mandates, entrust auditors who claim expertise in the area. Companies that can afford an internal auditor might not be able to claim innocence.
With companies increasingly moving their technology portfolio into co-located data centers hosted by third party it creates interesting scenarios when it comes to accountability. Especially with SaaS, it becomes even more interesting. Vendors take ownership of managing and governing customer data and assure them with appropriate certifications like SAS-70. The SaaS solutions themselves might be based on Cloud based infrastructure services like the Amazon Elastic Cloud (EC2). In such cases it creates a chain of claimed certifications that companies and eventually customers have to rely on. Conversely, in the event of a lapse, it could also create a chain of claims customer against the Solution provider who in turn might make a claim against the infrastructure provider. So who will be held accountable? I will leave that to the experts of law to decide and identify the negligent party.
So what is a company to do faced with this challenge ?
Here are some suggestions
- If you are hiring a auditor for a audit, pay special attention to the liability clauses in the contract. Even if the aforementioned case’ verdict goes either way, this has set a precedent for future audit commitments. Auditors will (and might already be) drafting in a clause to eliminate their culpability in the event of a lapse. But your interest should be to make sure, there are reasonable grounds for elimination of liability. If in doubt err on the side of having an additional, third party certification of the process and the coverage of the audit. I am sure you agree it is cheaper to do the preventative measure than have to pay after a breach.
- As a matter of risk mitigation, don’t leave it to auditors to confirm everything is fine. A certification is just a point in time verification and affirmation of known facts. You need to work at it to keep the certification valid. So have elaborate tools and processes in place – certification or otherwise. Check my earlier post SaaS Data Security – Should I be concerned? for some ideas on mitigating these risks. The concepts apply to an internal IT organization as well.
- Given the gray areas surrounding the compliance mandates (even auditors will attest to that fact) it is important that there is collaboration amongst companies and also vendors on issues that they are confronted with. There are communities like the BreachCenter that are focused on the topics like Data Breaches. Collaborating, participating in such initiatives will evolve best practices that the entire industry can benefit from.
Would love to hear any ideas that companies that are dealing with PCI, SOX, HIPAA are doing to mitigate risks beyond the customary audits. Shoot me an email at smallya at prudentcloud dot com. Would be happy to discuss.