Data-Theft Case Proves Need For New Disclosure Law - ' Better Scapegoat '
(
Page 2 of 2 )
Speaking of scapegoats, a new player was introduced into this mess Thursday, and it was Cable & Wireless Security, now owned by Savvis Communications. Cable & Wireless had performed an audit on CardSystems long before the incident, and that glowing audit report is what Visa pointed to as the reason it welcomed CardSystems into its group.
To read more about questions raised about Cable & Wireless' audit of CardSystems, click here.
Quickly sensing a better scapegoat (political note: the best scapegoat is always the one not in the room), it seized on Cable & Wireless' audit as the problem here. Gosh, implied CardSystems' CEO, had only Cable & Wireless been doing its job, it would have discovered how lousy a job I was doing, and none of this would have happened. Shame on them!
In fairness, Cable & Wireless Security may indeed have missed some things in its audit, but when we spoke with the executive in charge of that auditing team (who apparently hadn't known of the congressional testimony until we called and brightened his day), he was quite convincing that the problems didn't exist on the machines they examined when they examined them.
This gets us into the age-old—and difficult to fix—problem with any kind of auditing. The auditor works for the company being audited. The auditor is allowed to examine only what the audited company provides. If Cable & Wireless was told that these machines over here were the only ones used for handling Visa transactions, they were limited to exploring those machines.
Even if those were the correct machines, it's only a snapshot of the days the audit happened. If the company starts getting sloppy (or worse), the day after the audit is completed, the auditor can't be blamed.
Why should other vendors look carefully at what CardSystems did? To find out, click here.
Visa also cited a lack of cooperation from CardSystems as one of its reasons for severing its relationship. (As a reporter who has never received a call back from CardSystems, I'll try not to comment that those charges certainly seem easy to believe.)
CardSystems defended its shortfall of answers to Visa by saying that some unidentified former employees of Cable & Wireless couldn't be found to answer those questions.
Cable & Wireless said no such people exist. The audit team consisted of four people, three of whom are still with the company, while the fourth left recently and is very easy to find.
Perry's point about the disincentives to disclose, however, is quite valid. Without a new law, these kinds of incidents won't happen less frequently. They'll merely be disclosed less frequently.
What should Congress do about data breaches? Don't ask Congress. To find out, click here.
It's like the sleight of hand of the FBI's crime statistics. Television anchors typically say those numbers mean that the number of murders or burglaries or whatnot has gone up or down, but that's not at all what the reports say.
They merely say that the number of crimes reported and classified as murders or burglaries have gone up or down. There are lots of reasons why reports go up or down having little to do with the actual crime going up or down.
There's no question that lots of finger-pointing surrounds this problem, along with seemingly contradictory information. And there's also no question that it wouldn't be any better if it had all happened in secret.
Evan Schuman is retail editor for Ziff Davis Internet's Enterprise Edit group. He has tracked high-tech issues since 1987, has been opinionated long before that and doesn't plan to stop anytime soon. He can be reached at Evan_Schuman@ziffdavis.com.
Check out eWEEK.com's for the latest news, views and analysis on technology's impact on retail.
test
