Editor's Note: InfoSecCompliance LLC (”ISC”) is a law
firm dedicated to providing solutions for privacy and security legal
compliance and risk management and here's an excerpt from a recent post (yesterday) on their blog.
Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint
Posted on June 3rd, 2009 by David Navetta of InfoSecCompliance.com
The Merrick Bank v. Savvis lawsuit has the potential to change the liability
dynamic of the PCI regulatory system. The Savvis case is one of the
first known instances of a payment card security assessor being sued by
a merchant bank ( the merchant bank is a third party relative to the
Savvis-CardSystems relationship). The Merrick Bank compliant alleges
that it relied on Savvis’ certification of CardSystems as Visa CISP
compliant (this matter pre-dated the PCI standard), and that
certification was false. After CardSystems suffered a breach exposing
up to 40 million payment card records, Merrick allegedly incurred $16
million in payments to the card brands (which was ultimately
transferred to issuing banks who suffered losses arising out of the CardSystem breach).
If Savvis is held liable (or even if this case makes it past motion to dismiss or a motion for summary judgment) it has the potential to significantly modify the relative risk of PCI qualified security assessors, and in turn modify the PCI regulatory scheme. This post discusses the two theories of liability alleged by Merrick: (1) negligence; and (2) negligent misrepresentation.
Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The law related to this case is complex and varies from jurisdiction to jurisdiction, and over time. If you are interested in a full legal analysis of potential security assessor liability in a particular jurisdiction, please contact me directly at djn@davidnavetta.com
One further note, the basic rules and general information in this document was derived from various legal research sources. However, one book in particular provided excellent information on the liability of service providers to third parties. Please check it out, and purchase it: Professional Liability to Third Parties (Jay M. Feinman).
UPDATE: Other bloggers/mags are putting together some nice analysis of this case as well: here, here
Continue Reading at InfoSecCompliance.com
firm dedicated to providing solutions for privacy and security legal
compliance and risk management and here's an excerpt from a recent post (yesterday) on their blog.
Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint
Posted on June 3rd, 2009 by David Navetta of InfoSecCompliance.com
The Merrick Bank v. Savvis lawsuit has the potential to change the liability
dynamic of the PCI regulatory system. The Savvis case is one of the
first known instances of a payment card security assessor being sued by
a merchant bank ( the merchant bank is a third party relative to the
Savvis-CardSystems relationship). The Merrick Bank compliant alleges
that it relied on Savvis’ certification of CardSystems as Visa CISP
compliant (this matter pre-dated the PCI standard), and that
certification was false. After CardSystems suffered a breach exposing
up to 40 million payment card records, Merrick allegedly incurred $16
million in payments to the card brands (which was ultimately
transferred to issuing banks who suffered losses arising out of the CardSystem breach).
If Savvis is held liable (or even if this case makes it past motion to dismiss or a motion for summary judgment) it has the potential to significantly modify the relative risk of PCI qualified security assessors, and in turn modify the PCI regulatory scheme. This post discusses the two theories of liability alleged by Merrick: (1) negligence; and (2) negligent misrepresentation.
Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The law related to this case is complex and varies from jurisdiction to jurisdiction, and over time. If you are interested in a full legal analysis of potential security assessor liability in a particular jurisdiction, please contact me directly at djn@davidnavetta.com
One further note, the basic rules and general information in this document was derived from various legal research sources. However, one book in particular provided excellent information on the liability of service providers to third parties. Please check it out, and purchase it: Professional Liability to Third Parties (Jay M. Feinman).
UPDATE: Other bloggers/mags are putting together some nice analysis of this case as well: here, here
Continue Reading at InfoSecCompliance.com