Friday, September 25, 2009

Is state-of-the-art security going to become a new legal standard?

In another recent case, a US District judge allowed a couple to bring a case against a bank, who alleged that the bank failed to implement state-of-the-art security technology, which resulted in their becoming victims of online bank account of about $26,000. The judge refused to dismiss the case, clearing the way for the court case to take place. The judge stated: “In light of citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.”

I'm sure this would apply for failure to implment PCI DSS requirements, but what about not using TDES after 7/1/10, or not implementing end to end encryption after several top retailer implement it?,us-court-rules-that-bank-failed-to-protect-customer-against-fraud.aspx

Does a Retailers Requirements to Protect cardholder data go beyond PCI?

Last week the US District Court in Maine threw out most of the claims in the class action lawsuits against Hannaford over their data breach. What they did not throw out was a claim that Hannaford had an implied duty to take reasonable measures to protect consumer data. What this means is in addition to several state laws that require protection of consumer data, retailers may become subject to an implied contract that they must protect the consumer data that they gather in the course of doing business. Other retailers have been assessed penalties for unfair practices in protecting consumer data by the Federal Trade Commission. While actual consumer damages in these breaches have been low because of the issuers card protection, I wonder if this opens the door for easier recovery of costs from merchants by the impacted financial institutions.

Former Congressman Does Not See Federal PCI Legislation Likely

Tom Davis, former US Congressman currently at Deloitte gave the keynote speech at the PCI SSC community meeting this week in Las Vegas. After some very interesting insights about how presidential job approval impacts congressional elections which is what drives much of Congress, he talked about the current climate on the hill for cyber security initiates, including legislation covering PCI. His view was there is benefit in congressional hearings to draw attention to the issue get the industry to look harder at its own initiatives, and such hearings will continue. However, there is no benefit to any congressman in pushing cyber security legislation of any kind until there is some kind of cyber Armageddon. He believes any federal legislation that covers PCI will not occur for the next foreseeable number of years. This is not to be confused with someone filing a piece of legislation. He ended by saying the private sector is way ahead of the government sector on both cyber security policy and implementation.