This article from the New Republic examines two lawsuits that question who is liable for a breach caused by a third party security failure.
The cases both involve third party liability—that is, liability of a service provider to third parties for damages caused by the provider’s alleged negligence—and are a step short of the product liability doctrines that would be inherent in software design claims. So, the recent cases are of modest immediate importance—but they may be harbingers of the future.
In one case, Patco Constr. Co. Inc. v. People’s United Bank, the customer sued their bank claiming that though they were breached and their banking credentials were stolen, the bank is liable for the financial loss that ensued when the thieves transferred money from their account off shore. The claim is based on the fact that the bank was alerted to the unusual transfer through it's automated risk identification system, and approved the transfer upon review despite the red flags. Patco argued that People's United Bank was relying on password authentication and ignored the alerts, which makes them liable for not being "commercially reasonable" in their security practices. A settlement was reached where People's United Bank ended up paying Patco $345,000.
The second case, Lone Star Bank, et. al v. Heartland Payment Systems, refers to a breach that has been widely publicized. After Heartland suffered a major breach in 2009, the issuing banks that Heartland cleared transactions for were also impacted, incurring costs for fraudulent charges, replacing cards and providing consumers with credit monitoring services. The case is now in appeal, with the issuing banks, including Lone Star Bank, claiming Heartland was responsible for the cybersecurity failures and owes them for damages.
Read the full article here.
Details from the breach affecting Adobe and several business information companies continue to emerge. This week, Hold Security and Brian Krebs revealed that PR Newswire was also a victim of the breach. In an update issued by the security firm, the group confirmed that the breach was a targeted attack. Speculation about why they were targeted is below.
"... considering criticality of major announcements done through PR Newswire, it is possible that savvy malicious individuals might use unannounced press releases or even manipulate major announcements to gain a competitive financial edge on the stock market."
In an interview with Gov Info Security, Frederick Chang, the head of the cybersecurity program at Southern Methodist University, discusses why he thinks security needs to become more of a science.
"The field needs to get to a point where it can become proactive, where we can get ahead of the problem. In science, we talk about prediction, models and repeatability. The idea of taking the longer-term approach and creating a foundational science and engineering of cybersecurity is a key part of our mission."