Just how much legal responsibility do infosec vendors have when a breach happens?
Two insurance companies are suing Trustwave over the Heartland breach. The fact that insurance companies are involved makes it interesting because a) insurance companies have deep pockets, and b) insurance companies sometimes like to push the legal system as far as it can go.
There is an interesting thread on Twitter in this regard ...
Great question, I think the very nature of this case and others will answer your question. The outcome may have a impactful result on our industry.
Clearly one result is people are watching and expecting accountability.
In my humble opinion and based on my experience, I believe the liability is not only on the vendor but also on the Security professionals of the company breached. This is were extensive experience is very important. Security professionals should deeply assess the products they select, challenge them with other vendors to understand their limits before choosing to implement them in their organization. On the other hand, one technology is not often enough to monitor the controls. Besides the vulnerability scanner, IPS/IDS and server logs should be monitored quite frequently so if the scanner misses something, the security professionals can notify this to the vendor for improvement.
When determining who's fault, there are so many items to consider. Since Trustwave was installed, who was ultimately managing the product and could it be an operator error? Who installed the product and was it installed correctly?
I would imagine that Trustwave would be looking to prove that the configuration deviated from documented and/or installed best practices. While the organization placing the lawsuit will argue that the product was just generally defective, didn't work, another reason to utilize proof of concepts.
This may not be a close example, but when you buy a car and drive it off the lot, then wreck the car, it's the issue of the operator to fix any damages, unless the operator can prove that the issues were due to a defect in the product caused by the manufacturer. We never hear of car manufacturers getting sued for someone driving a car off the lot and having a wreck. Car manufacturers assume you know how to operate the said car and are certified to do so (drivers license).
There should have been an early detection of the attack. 30 000 000 accounts cannot be breached in one day. There has been a progressive attack and this is why I sustain as aforementioned that combining different security controls should have helped the security professionals to detect that there was an issue with their Trustwave product and report it for correction.
Moreover, security profesionnals should explore from the beginning all the capabilities of the technology they are using to be aware of its limitation in an early stage.