Some interesting infosec cases coming up in court cases recently.
Last month, the Supreme Court agreed to hear a case challenging the constitutionality of the Sarbanes-Oxley Act of 2002 (aka SOX).
More recently, Wired reports that Merrick Bank is suing PCI QSA Savvis for giving Card Systems a passing grade on a PCI audit just 3 months prior to Card Systems getting hacked and ultimately exposing 40 million credit cards to the intruders. The breach cost Merrick nearly $18M to fend off the resulting fraud, settle claims, and replace compromised cards.
While SOX has been a driver of security investments in the years since it was enacted, it is clearly overburdensome for most companies, and misses its goals in a number of areas. There is general consensus, even in the security industry, that it should go.
The jury is still out on the Merrick/Savvis PCI case, however. If Merrick is successful in its bid to attach fault to Savvis for giving Card Systems an improper passing grade on its PCI audit, that will send a chill down the spine of most security staffs. PCI audits are onerous enough already, and I'd hate to think how much time and expense we're going to have to expend on them after the QSAs figure out they can be sued if they miss the tiniest detail. And it's still a point-in-time certification. Just because an org is PCI-compliant today, doesn't mean they won't silently fall out of compliance tomorrow. Are QSAs going to demand recurring audits of the environment throughout the year to satisfy their own legal teams that the client is still worthy of a passing grade? It's a slippery slope, to be sure. I don't like the direction we're headed on this one.