The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, August 01, 2005
First, blame the auditors ...
Mark Rasch, in his Security Focus column this week, has some interesting things to say about security auditors and consultants in the wake of the cardsystems breach. The focus of his column is on what audits are and are not, but also contains some interesting insights about the Cardsystems debacle.
The CardSystems blame game"...None of this is surprising. One of the first things you do when confronted with a public relations problem is to minimize the extent of the problem. Lawyers do this all the time, exclaiming things like "My dog didn't bite you, my dog doesn't bite, I don't own a dog." The next thing to do, of course, is to find someone else to blame.
In the case of CardSystems, they reportedly found someone who wasn't at the table to blame -- not VISA, not MasterCard, not their sponsoring bank, and not their customers. They blamed their auditors and consultants. In his testimony, Perry noted that CardSystems had undergone a CISP audit by consultants from Cable and Wireless in December of 2003 (17 months before the incident), and that there were "do deficiencies" that did not have adequate compensating controls. Thus, according to Perry's live testimony, it was Cable and Wireless' fault. Oh, and while he was at it, he also reportedly blamed the California mandatory disclosure law, SB 1386, claiming that without the law, the company would have suffered no losses. Well, still the data would have been lost, just nobody would have known about it.
Cable and Wireless claimed that there was nothing wrong with their audit, and that they were simply retained to audit the systems that were used to process the payment information. If there was a separate system used to store transactional data not connected to the processing system, or a system not within the scope of the audit, it was not examined.
Meeting of the minds
The relationship between consultant and consultee is almost always one based on a consulting agreement. The case points out a serious problem with understanding the nature of auditors, security consultants, and the relationship between these consultants and the underlying client. The consulting contract is supposed to reflect a meeting of the minds between the parties. Invariably however, the parties come to the table with differing expectations about what they are buying and selling. In the case of CardSystems and Cable and Wireless, CardSystems thought they were auditing discrete parts of the payment processing network for compliance with VISA's standards. CardSystems, on the other hand, apparently thought they were purchasing "hacker insurance" and a guarantee that they would never be subject to attack. At a minimum, CardSystems was seeking a "Certificate of Assurance" that they were compliant with all the relevant standards. As we will see, even this latter assumption may be unrealistic...."
Labels: cardsystems, information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.