A few weeks ago, it was reported that Merrick Bank was suing Savvis, an IT consultancy, for performing a sloppy/inaccurate audit in 2004, of CardSystems compliance with CISP (Cardholder Information Security Program), the predecessor to PCI DSS. Merrick hired Savvis to do the audit prior to signing a contract with Cardsystems to process Merrick's card transactions. Although certified as compliant, it was later found that Cardsystems kept cardholder data unencrypted, and when hackers later breached their systems compromising up to 40 million transaction records, Merrick claims it suffered damages totaling $16 million in fines by Visa and Mastercard as well as other costs to compensate breach victims.

Just a few years earlier, all this might have been swept under the rug with all involved preferring to settle things privately to avoid public embarrassment. Today, however, there is growing awareness and understanding of the value of data, and consumers are angry and feeling vulnerable from the steady stream of high-profile data breach cases reported in the media. Reports such as the Experian Market Insight Snapshot which shows the higher your credit score, the more likely you’ll become a victim of identity theft only serve to amplify this fear.

Huge consumer frustration with government inaction and industry indifference to identity theft, especially in the US, is translating into broad-based public support for holding someone -- anyone -- accountable for securing data and protecting the integrity of our financial records. PCI DSS is supposed to raise the ante, but in reality, it is a weakly enforced standard, full of compliance holes as seen in more recent major breaches at Heartland Payment Systems and Hannaford Supermarkets. At present, it is only possible to know after the fact whether an organization is/was compliant or not.

Kim Zetter, in her recent story about the Savvis lawsuit in Wired, cites Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School who specializes in information security issues, “we’re at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it.  For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits.”

Amen. No question there is a gap between what auditors often receive as insight and cooperation from the client they are auditing, and what is really required to give a full and accurate audit, but if we don't demand legal and financial accountability, that gap will never close. Although my company stands to gain from provision of breach mitigation services, we don't relish it. Accountability and even liability of those claiming to keep data secure is much preferable to trying to catch all the horses after the barn door has been opened.  We'll be watching this suit closely, hoping for everyone's sake that the legal system gets this one right.