As an IT professional who WAS a whistleblower on this very issue, and one who spent the last 3 years of my life dealing with the subsequent litigation I think I can speak to this issue with some authority. Not only from my experience when I was trying to get something done about many large security holes in a company that stores billions of credit card numbers, but also what I learned during the deposition and trial process during the course of the lawsuit. It was a real eye-opener into how large businesses (and financial institutions) look at security.
This is what I learned:
- First and foremost – if the company won’t do anything about security problems, even major ones like what I saw in my situation -there is no outside regulatory agency that will take steps to rectify the problem. Not the Federal Trade Commission, Attorneys General at a state level, SEC (in the case of publicly traded companies), Congress, FBI, Treasury Department, VISA or the other card brands. For me, the only hope that I have currently of any agency doing anything about data security is the Public Companies Accounting Oversight Board (PCAOB) which can sanction accounting firms for not testing for state, federal and contractual compliance issues – which should include data security, successful PCI assessments etc. I tried every other avenue, including the courts, and got nowhere.
- Because there is no real accountability from the outside, companies with poor ethical standards that flow down from the top level, not only don’t take security seriously, but have no compunction about lying to auditors, intimidating/harassing/firing staff that bring up problems, perhaps paying off PCI QSAs to falsify assessments (either that or it’s a don’t ask/don’t tell type of thing on the QSA side), just doing whatever it takes to get past the PCI and continue with the least amount of security possible.
- VISA/MC do nothing to enforce PCI unless there is a big breach, then they just take steps to get as much $$$ as possible from the MERCHANTS. They do nothing as far as enforcement for prevention of breaches that I have seen. They seem to do little or nothing with service providers – i.e. the third party processors and banks. VISA/MC can’t function without them.
- During my trial I watched no less than 8 employees of the defendant testify on the witness stand that my greatest crime was going outside the “chain of command” to escalate security problems, and the absolute worst thing I did was report them to the Office of Information Security. This was after working for months to try to get the problems solved within my “chain of command.” I found this astounding.
- Fixing security problems can very often be costly (both monetarily and time-wise), and if a company has a culture that promotes managers because they are good at telling the higher ups what they want to hear, these problems are doomed to be buried.
- Even upper level IT management can be exceptionally dense about security problems. For example, in April of 2005, I filed a Sarbanes-Oxley whistleblower complaint that not only covered the retaliation I was going through for reporting data security problems, but also giving details about the problems themselves. Within 45 days of this, an external PCI assessor did an audit and found the company to be non-compliant in 9 of the 12 domains of the assessment (including Domain 3 – failing to protect stored data – which is what I had reported on), and within about 60 days the Cardsystems data breach (another 3rd party processor) was front page news. However, even with all these big red flags pointing to security problems within his own department, when asked during depositions about what was done internally at the company to review data security after the Cardsystems data breach, the CIO stated that he thought he had “talked about it in the hall” with someone.
- During discovery we were only able to obtain documentation on the QSA assessments from the outside vendor – Verisign. Up until then, the company swore up and down that they had always been 100% compliant with PCI, but we found out differently when we received what documentation we could get from the Verisign via subpoena. Those documents showed that the company was PCI compliant in 12/04, non-compliant in 5/05, then compliant again in 12/05. This raises many questions in my mind.
- Even under federal subpoena, the company refused to provide auditing documents that showed anything other than the final results that showed the “good” assessments, citing they had “problems” doing so. In trial, the VP in charge of security stated that he figured they had “lost” scanning results when questioned about certain missing documents that the PCI board had asked for. He saw no problem with this.
I won’t go on any further, as I think just this information is sobering to any IT security professional.
As far as whistleblower laws in security – there are laws on the books right now, but there is no real enforcement being done. To me the only answer is regulation – but no one wants to touch it, and I think the reason is that VISA/MC are driving the US economy right now – and never mind the huge debt the consumer is carrying, the federal government doesn’t want to rock the boat with something as inconvenient as data security.
This is from someone who has been in the belly of the beast for a long, long time.
Nell Walton, CISA, CISSP
Nell: If we render “private” data so it is of no value to criminals, then we don’t have to work so hard to prevent unauthorized access to it. For example, the credit card system could change so authentication relies more on user behavior and less on the secrecy of re-usable codes. What do you think? –Ben http://hack-igations.blogspot.com/2007/08/recorded-behavior-as-authentication.html
Makes sense to me. How would the user behavior fit into this scenario?