What if a doctor told you that you had a clean bill of health, only to find that he missed a dangerous growth which later caused significant damage because it was not treated earlier?
The short-term affects of this lawsuit will no doubt have a chilling effect on the compliance-service industry as they recognize their own vulnerability in signing off on an audit.
It has always been critical that if you are giving someone a stamp of approval, that they truly meet the standard that has been defined. It’s important that your beef has been properly approved by the USDA and it’s important that your compliance with a security standard (Visa’s Cardholder Information Security Program or CISP, in this case) has been thoroughly vetted and approved.
No doubt, there have been security “stamps of approval” that have been given out to organizations in the past that might not have been deserving and we’ll never hear about them. And this might not be one of those times since we’ll have to wait until Savvis has had an opportunity defend itself and we hear the ruling by the court. However, it is inevitable that we would see a lawsuit occur at some point.
If you tell me, or rather, guarantee me that I am compliant with a regulation or meet a certain standard or criteria and then I am fined a significant amount of money ($16 million in this case) because I am not, you can rest assured I will come to you for some answers and some compensation.
What can be done to avoid this? This certainly invokes a number of questions. After all, companies are paying these auditors to insure they can bypass this whole mess. Ultimately, it will require more transparency of the actions performed by the auditing organization and the certifications of each individual auditor. If an auditor has passed a certification and his actions (or inactions) lead to a failure like this, should his certification be revoked? For my two cents, I believe this moves us a step closer to requiring a license-like structure for data security auditors that could have a better mechanism for granting and revoking its credentials. Ultimately, passing a test and receiving a certificate has limited if any accountability on an individual level.
However, the question that will be addressed first is what culpability an auditing organization has when damages occur to a customer they have certified as compliant. For this, we will have to stay tuned to how the court rules. One thing we know for sure, companies that perform audits will take another look at how their contracts are worded and review carefully how they perform their contracts.