Can I Sue my Security Vendor if my Network is Breached?
In a precedent-setting civil lawsuit, a Saskatchewan woman, who overdosed on crystal methamphetamine, has successfully won a suit against the drug dealer who sold her the highly addictive drug. From the article:
She has since developed a heart condition that leaves her constantly fatigued and limits her chances of ever having children.
In her statement of claim, Bergen said Davey knew the drug was highly addictive and the sale of the drug was “for the purpose of making money but was also for the purpose of intentionally inflicting physical and mental suffering on Sandra.”
Let’s take this crazy, and blatantly stupid, case and shift it over to the security world. Could you imagine suing your firewall vendor because the product they sold you didn’t prevent a breach from happening? What about an IDS vendor for not detecting an attack? Their legal team would flat-out laugh in your face. I know the situations are not identical but a parallel immediately came to mind. When you purchase something, anything, there is a certain expectation that the user knows what they are doing.
You buy a firewall to prevent unauthorized network access between network segments. If you don’t configure the solution correctly then unwanted traffic might still get through.
You buy an IDS to inspect for malicious or inappropriate traffic as it flows through your network. If you don’t configure the solution correctly then unwanted traffic might still get through.
You buy a NAC solution to allow access to resources only when the proper credentials are presented. If you don’t configure the solution correctly then unwanted traffic might still get through.
You buy illicit drugs to get high. If you use them you might injure yourself or die.
Security vendors are selling you a tool to perform a task – prevent or detect breaches. In the case of the methamphetamine fiasco the drug dealer was providing his customer with a tool as well – drugs. These drugs were made to perform a task – get the user high. The moral of the story is, if you buy something, make sure you know all the pros and cons of your purchase before implementing them.
I had to write about this because it made me SOOOOO ANGRY!
We seem to live in a society that lacks personal responsibility and that blames everyone else for anything bad that happens. It's a society where so many people are just victims…of everything and anything. You made a mistake or error? Well, blame someone else and sue them. I thought I could call the 90's the "age of the victim," but it hasn't gone away in this decade either.
This isn't a good landscape for increasing security and insecurity in the digital world, especially since good sec pros will say, "there is no perfect security." Which leaves a door open for blame to be laid out no matter who really makes a mistake. Information sharing is soooo efficienct now as well, that if a mistake is made in a product, the world knows about it quickly, gets up in arms, and someone somewhere will pony up for a lawsuit. Just look at the iPhone lawsuit because the price went down. Cry me a river, omg the price actually went down?!? OMG never has this happened before!
I hope karma comes around for that woman…frivolous lawsuits and ridiculous decisions need to be made right.
I have to agree with LV.
Also, being a consultant myself, folks who purchase products need to be absolutely sure that they read the contract for the equipment and services they purchase. It doesn't matter how many smiles you get from the sales person…you can only hold a vendor to what's written in the contract, so make sure that it says what you want. If the sales person tells you that you're being sold a device and service that will protect you from data breaches, make sure that's what the contract says.
Also, organizations need to take a good portion of the responsibility. Many intrusions (and data breaches) occur when a blind, stupid piece of software is able to punch a hole through the security of systems set up by people. When it does, it's able to find that "sensitive data", be it PHI, PII, whatever…and most admins and company officers have no idea where this data lives within their own organizations!