Two weeks ago, The United States Court of Appeals reversed a lower court’s decision, ruling that the IT security system used by a domestic bank was not “commercially reasonable” to protect its customers.This sets a dangerous precedent, albeit a welcomed one for many security professionals.
As I've written before, I don't believe software vendors can be held accountable for ensuring their products are devoid of ALL security vulnerabilities -- it is not possible, nor can one imagine all of the possible ways an attacker might abuse a particular piece of software (the cause of most security breaches.) The same is true for enterprises, in this case banks, who deploy software and other IT solutions and use it to operate their business.
Security Innovation sits on both sides of the application security fence: we help customer build and deploy more secure software and we have to do it ourselves. We understand the inherent challenges o doing so. Delivering 100% secure software is not feasible, unless you want to offer incredibly limited functionality to your customers (which they don't want). Having said that, I do believe that vendors and enterprises should be held accountable when there is clear negligence. If the bank was so grossly careless with their IT systems that even rudimentary defenses weren't in place, it's clear they should be held accountable. If they were 100% in compliance with a given security standard (i.e. PCI-DSS or ISO 27002) and can prove so, there are safe harbor protections that give them indemnity (at least in the case of PCI.) Although PCI-DSS compliance does not equate to security and in the absence of formally defined (and enforced) industry standard for application security, the bank can demonstrate they operated in good faith and exerted due diligence to secure their IT systems.
But where does one draw that line for the cases in between (as is the case with most breaches)? Herein lies the danger of such a ruling as the one against People's United Bank. There is precedence now and that is gold to litigation attorneys. As much as I am a staunch believer that holders of sensitive data have an obligation to protect that data, I am deeply concerned over the implications and future impact this ruling might have. It opens the door to a very grey area of accountability and fiscal liability. And we all know that the people who make out the best in these situations isn't the consumer, nor is it the enterprise... it's the lawyers.