SaaS, Cloud Computing, and Liability for Security Breaches
Posted by Bob Warfield on October 26, 2007
There’s an interesting post by Larry Dignan about the TJX legal activity surrounding a data breach that exposed customer’s credit card information. It seems the banks are suing TJX to make it their problem. In the past, banks and credit card companies had to eat the expense. The TJX breach involved the theft from its system of over 100 million credit card numbers by unknown intruders. This wasn’t a case of a tape falling off a truck or a bug in software inadvertantly publishing the numbers–criminals hacked into the system during an 18 month period to steal the data. This is the largest such theft of its kind ever reported. In addition personal data on about 451,000 individuals was stolen by accessing a system relating to their return of merchandise without receipts in 2003.
The lawsuit alleges the breach happened due to conclusions found by TJX’s own consultants doing forensic work after the crime. They said the company failed to comply with 9 of the 12 PCI-DSS standards among other things:
– An improperly configured wireless network. Note that this is outside a secure datacenter–an important point to keep in mind with supposedly secure apps.
– Outdated WEP encryption on the wireless network, a practice many other retailers suffer from.
– Failure to segment sensitive data and treat it differently.
– Retention of credit card information that shouldn’t have been retained under PCI-DSS standards.
– Apparently just one store in Florida was compromised sufficiently to lead to the calamity. The data, about 80 GB, was transferred over the Internet to a site in California.
– In addition, a sniffer was installed on the network to capture credit card info which was being transmitted in the clear.
– The consultant deposed noted that they had never seen such a “void of monitoring and capture via logs of activity.”
The list goes on for pages if you read the legal filings, but this gives a nice understandable idea of what went on. According to the plaintiffs, at least, TJX was even aware of a lot of the problems from audits the year before but had failed to fix things.
I read this after posting the last of my 3Tera interview, and it struck a chord with something from the interview. The 3Tera guys talk about how data privacy regulations are increasingly driving datacenter centralization and outsourcing. What a great concrete example this is, and it cuts both ways.
It puts a greater onus on those running datacenters to keep them secure or face the consequences. This puts more pressure on SaaS and other cloud computing vendors to deliver a very high quality product. But secondly, it means that IT organizations will also have even greater expenses around their in-house software activity too in order to secure it. If nothing else, the article on the TJX breach I linked to above mentions they weren’t even sure of a lot of what was stolen because they had routinely deleted the data. What are the chances TJX and others will decide to archive a lot more information in the wake of all this?
Inevitably, this will lead to exactly the kind of legislation the 3Tera guys mention. This legislation will drive the kind of certification companies need to have around various kinds of data. Europe is already off to a head start on this front, but the US will surely follow. It may not even take legislation. The civil legal system may create ramifications for how datacenters operate.
Let me give an example. As I understand it, your damages relating to use of stolen IP in software are dramatically less if you can show that your organization took steps to verify it wasn’t using someone else’s IP. There are companies today that make a business of scanning your source code and looking for suspicious entries. The CFO or General Counsel may mandate such scanning simply because it is cheap insurance relative to treble damages if you can prove by doing so your organization took reasonable steps.
So it is with these security issues. The more certifications along the lines of SAS-70, the more opportunity you have to tell the lawyers that your organization took reasonable steps and therefore shouldn’t be held liable, or at least not liable for as much. SAS-70, incidentally, is an auditing standard promulgated by the AICPA. There are many more such standards out there, such as those associated with Sarbanes-Oxley. When you look at the impact Sarbanes Oxley has had on small public companies, it isn’t hard to see that this kind of thing will drive the SMB market to doing more and more in the cloud using SaaS and other mechanisms because they just won’t be able to afford to certify their own projects the way the bigger companies can.
In TJX’s case, they would have benefited from using a more standardized product, running in a more modern datacenter, with all the safeguards and certifications in place. A modern thin client could run HTTPS which adds additional much more secure encryption over the nearly useless wireless WEP protocol TJX was using. In short, it’s hard to see how a respectable SaaS vendor would have fallen into the same traps precisely because customers would have insisted on audits like PCC-DSS and they’d have insisted the guidelines had been followed. For their part the SaaS vendor should be touting those things as advantages and amortizing the cost over multiple tenants so as to make it cheaper for customers to have the additional security. Sure a SaaS vendor could make a mistake, but doing so leaves that vendor liable more than the customer.
I can already hear the arguments that if TJX had only done the right things with their on-premises software, there’d been no issue, so why is Bob making this out as a SaaS thing? If the trend to take the litigation route on these things continues, companies will have a lot more to think about before undertaking to accept all of that liability themselves. Let’s also consider that TJX apparently knew of the deficiencies but did not take action. Why then, didn’t they take action? I have no data to support this, but in my experience this almost always boils down to issues of cost. TJX probably had the best of intentions, back lacked resources, budget, and time to make the fixes before time ran out for them. It was a costly mistake, but again, it seems like costs are something that SaaS greatly alleviates.