When the point of sale terminals at Target were hacked last December, issuing banks (the banks that issued credit cards to consumers) were on the hook for millions of dollars it cost to reissue these credit cards to their customers and potentially for the cost of fraudulent charges on these stolen cards.
So they went to their lawyers and asked the dumbest question you can ever ask a lawyer, “can I sue?”
Duh. The answer to that question is always, “yes.” But whom, and for what? In the case of two banks, Trustmark National Bank and Green Bank, their lawyers decided not only to sue Target itself, but to also sue the PCI security assessor Trustwave for negligently assessing Target’s security, and for failing to adequately monitor the fraudulent activity.
And like Gilda Radnor’s “Rosanna Rossanadana” (kids, ask your parents), when the banks learned that Trustwave actually wasn’t monitoring Target’s network or processing credit card transactions (woulda been nice to know that before filing suit), the banks dismissed their lawsuits with what amounts to a sheepish, “never mind…” But they did so “with leave to refile,” which means that, like a poltergeist, the lawsuit could return. “They’re baaaack…” (kids, ask your parents again.)
While the lawsuit alleged failures to monitor and prevent the theft of PCI data by both Target and Trustwave, it went further. It alleged that Trustwave negligently performed the assessment of Target under PCI DSS, and that, had they conducted a proper assessment, the hack would not have occurred.
The case portends the possibility of liability to security assessors, auditors, vendors, suppliers, consultants and others, not only to their clients and customers, but also to the general public as well. Such liability is important because it is not typically considered in negotiating contracts between suppliers and customers, and could substantially increase the costs for these services. A security assessor no longer charges 10K to do a pen test – they now become a guarantor and insurer against any future hack. That 10K pen test now costs $10 million.
The lawsuit is also significant because it asserts, at least in part, so-called “duty to the market” theory of liability. That security vendors, auditors or assessors owe a duty of due care not only to their direct customers, but also to entities that may rely on their services. This could mean third parties whose data is collected or stored by the vendor’s customer, but it could mean everyone in the world.
If you assess the security of a nuclear power plant, and that plant is later hacked and releases radiation, are you on the hook for the tens of thousands of now glowing residents, not to mention the three-eyed fish?
Now Trustmark and Green are not customers of Trustwave. They never hired them to perform any services, had no “privity of contract” with them. In fact, for the purposes of this litigation, there was no relationship between the security company and the bank. But the bank wants the security company to pay them millions of dollars. And the security of the bank was never actually breached. Nobody broke into the bank and stole money. The fallout from this litigation, if successful, could profoundly change the information security business. It could require companies to insist on more insurance, higher fees, or greater indemnification from customers.
A few legal terms here.
First, “privity.” Typically, when you enter into a contract, the terms of that contract bind you and the party to which you have entered into a contact. It’s called “privity of contract.” If you don’t like the terms of the contract, you negotiate them with the party in privity (if you can.) So the contract between Target and Trustwave set out what services Trustwave was to provide (e.g., a PCI assessment), what the timetable was going to be, the cost, the nature of the deliverable, and all the things lawyers shove into contracts, including limitations on liability, warranties, disclaimers, choice of law, choice of forum, choice of jurisdiction, blah blah blah. The contract sets out the relationship between the PARTIES to the contract. If you ‘aint part of the contract, you can’t negotiate the terms.’
In the Trustmark/Trustwave lawsuit, the party suing (Trustmark) and the party being sued (Trustwave) are not in “privity.” Trustwave made no promises to Trustmark, negotiated no liability, and has no relationship with them at all. So all those nice disclaimers of liability between Trustwave and Target don’t apply to the Trustmark/Trustwave relationship. In fact, there is no such relationship.
Second legal term. Third party beneficiary. Sometimes parties enter into a contract with the intention that a third party (the beneficiary) benefits from the agreement between the two parties. The term used is “Jus quaesitum tertio” because lawyers like to translate things into Latin to make them less understandable. Unless you specifically intend to create rights in a third party, most contracts specifically say that there are NO third party beneficiaries to the contract.
Third legal term (provided at no additional cost). Duty of due care. Apart from the law of contracts, there is a separate body of law regarding torts (civil wrongs, not the pastry tortes). Negligence is a typical form of tort – failure to adhere to a “reasonable standard of care.” Now tort law and contract law can occur in the same fact pattern – I hire an engineer to build a building and specify what the building will look like and what it will do, how much I will pay and when (contract).
The engineer builds the building improperly (negligence) and the building collapses. I can sue (I can always sue) for both breach of contract AND tort. It’s more complicated though when a person NOT a party to the contract (say a pedestrian on the street when the building collapses) is harmed by the actions of the party that is in breach of contract. The injured party would have to show that the engineer had a duty of due care to the pedestrian, and that it was reasonably foreseeable that, if they were negligent, a party like the pedestrian might be injured.
Put that into the context of information security work.
You see, Target hired Trustwave to do several things related to information security. First, they hired them to conduct an assessment of their PCI-DSS compliance. The Payment Card Industry (read that, banks that issue and accept credit, debit and stored value cards) set up a bunch of security rules or Digital Security Standards (PCI-DSS) for vendors and merchants who accept their credit cards as payment. Pretty neat.
The banks make the rules, and the merchants, who are dependent upon people using credit and debit cards, have to follow the rules. If you don’t follow the rules, you can be fined or simply kicked out of the “We Take VISA” club, although recently at least one merchant has sued VISA and another group of restaurants sued their banks for imposing such fines.
Remember, these are “voluntary” standards imposed by banks on merchants and vendors (and payment processors) for security surrounding credit and debit card transactions. For the most part, they aren’t “laws.” (I say for the most part because states like Nevada (Nev. Rev. Stat. Ch. 603A ) and Washington (Wash. H.B. 1149 (2010) make compliance with PCI DSS a requirement.)
The PCI DSS standards cover a host of activities – Point of Sale security, Network Security, passwords, authentication. At their core, they require merchants to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control systems, regularly test and monitor the network, and maintain an information security program.
While it’s pretty basic stuff, the new standards (Version 3.0) are 112 pages of requirements, policies, procedures and guidance (with pretty pictures and circles and arrows and a paragraph on the back of each one explaining what it is). Depending on the size and complexity of a merchant, they can either assess themselves against these standards, or they can have an independent third party assessor (like Trustwave) conduct the annual assessment. At the end of the assessment (and any mitigation efforts conducted as a result of the assessment) the assessor “certifies” compliance with PCI DSS.
Does this mean that the merchant is “secure?” Umm.. no. Does it mean that the merchant is bullet-proof? Umm… no. Just because your building passes fire code today doesn’t mean that it will pass tomorrow; nor does it mean that it won’t burn down. What’s worse, many if not most PCI DSS assessments –even by qualified third parties – require a great deal of vendor cooperation and vendor self-assessment.
It’s not that the vendor is trying to hide something – its that they only know what they know, and they make assumptions. Example – an assessor may ask of a merchant is using a particular make and model of a POS terminal or software in the terminal. The merchant may respond that they used to use that POS terminal or software, but it has been phased out five years ago, and every one of the 2,000 stores is now using something else.
Um, yeah – except for that one store in Columbus, Ohio which had that problem integrating the new terminal, so they disconnected it and put back in the old terminal, right? Sure you can have all kinds of spot tests and checks and balances, but you reach a point of diminishing returns. The goal here is to make sure that merchants are doing SOMETHING to protect credit card data – not that they are doing EVERYTHING possible.
So in PCI DSS assessments, things are missed. Systems that contain or process credit card data are not assessed because the merchant doesn’t know or doesn’t think that those particular systems are involved in the process.
So we know that a PCI DSS assessment isn’t really a guarantee of security. But we also know that some assessors are good, and some not so good. And if there is a really bad assessment that leads to a breach, the assessor should have some liability, right? Probably. The question is – liability to whom?
What Does the Contract Say?
PCI-DSS assessors or auditors deal with this ambiguity and uncertainty with contract terms and conditions between themselves and their customers (the merchants or processors.) Essentially, they tell their customer that they will conduct a “reasonable” assessment against the PCI-DSS standards, and issue a “report of compliance” identifying areas in which they believe the customer is compliant, and areas which may cause concern about compliance.
They will also make findings and recommendations. All of this is dependent upon having access to the client’s facilities, having the client’s cooperation, and having the client disclose everything that is relevant. In fact, most PCI DSS assessments are more “vendor supported client self-assessments.”
There is no way that Trustwave performed a pen test on each and every POS terminal at each and every Target location. So the contract between Trustwave and Target will establish what Trustwave would do, what it wouldn’t do, and the extent and scope of liability Trustwave would have – TO TARGET.
What’s likely missing from the contract is the scope and extent of Trustwave’s liability to third parties in the event of a breach to Target. And that’s likely to change. If we see more suits like this, security vendors will insist that their clients and customers indemnify them for damages (and litigation) that result from allegations that they (the assessor) was negligent and failed to prevent the attack. Yes, asking your customer to pay in the event that you are negligent.
This isn’t the first time a security assessor has been sued as a result of a breach. When CardSystems suffered a data breach in 2004, Merrick Bank sued CardSystem’s auditor Savvis, Inc. for negligence Merrick Bank Corporation v. Savvis, Inc. et al (2010 WL 148201, Dkt. No.2:09-cv-01088-CKJ D. Ariz., Dismissed with prejudice by stipulation, December 23, 2010).
The theory of that case was that the assessor, Cable and Wireless (later acquired by Savvis) negligently represented that CardSystems was PCI-DSS compliant when they conducted the audit and CardSystem passed. CardSystems was a payment processor, and Merrick was an acquiring bank for approximately 125,000 merchants. Just so we understand when you go to a STORE and use your CREDIT CARD, the STORE uses a PAYMENT PROCESSOR to process the transaction. When the transaction is approved, the STORE essentially put the money in their ACQUIRING BANK (kinda sorta like the way they would deposit your check in their bank).
This is different from the ISSUING BANK – the one who’s logo you would find next to your big VISA or MasterCard on your credit card. So a big difference between the Target/Trustwave suit and the CardSystems/Savvis suit is that the processor had a relationship of some sort with the processor, and indeed according to the Arizona federal court, “in or about January 2004, [Merrick] did not permit CardSystems to act as either ISO [Independent Sales Organization] or Processor until Merrick was satisfied that CardSystems was compliant with all Association rules and regulations related to Processor.”
While it’s not clear what happened as a result of the suit, it appears likely that the case was settled, since after the Court refused to dismiss the case, and after a flurry of sealed pleadings, the case was voluntarily dismissed.
So, much is riding on this theory of liability. If vendors and assessors are liable to third parties for failing to prevent an attack, then nobody will want to be in this business – at least at current prices. If they aren’t, then what’s their incentive to do a comprehensive job? Tough choices. I am glad I don’t have to make them. Oh wait, I do. So do we all. My advice? Get a good lawyer. Or two.