Last week, people started talking about a lawsuit first filed last year by Merrick Bank against Savvis Inc. The basis for the suit is that when Savvis audited CardSystems Solutions for compliance with the CISP security standards of the time, they gave them a clean bill of health. Merrick sued them after the breach, and it became the first lawsuit of its kind against an auditor.
After Kim Zetter provided a story and background on Threat Level, the commentaries started. First it was Angela Gunn on BetaNews suggesting that suing auditors won’t stem the breaches. Subsequent commentaries include those by Rebecca Herold, Digital Soapbox, and David Navetta on InfoSec Compliance, who provides an analysis of the two bases for the lawsuit: claims of negligence and negligent misrepresentation.
Know of other commentaries we might want to read? Use the Comments option to post links or your own comments on the lawsuit.