I was chatting with a colleague this week, let’s call her Anne, who had a very interesting question. “Should Anne carry personal liability insurance as a QSA working for  a QSA company?”

She was trying to assess her personal liability for doing QSA work.  So let’s say Anne made a mistake, and that mistake caused a merchant to be breached, would her former employer go after Anne to make her a scapegoat after she left?

Judge me not, by Steve Punter

I had a brief discussion with David Navetta of the Info Law Group about the idea (and please note that anything found here is NOT legal advice, and you should always talk to an attorney if you have an issue… entertainment purposes folks), and he mentioned that normal employment law should preside over an issue like this.  Unless Anne was committing an intentional act or fraud, it is not likely that she would be liable for a mistake she made while delivering services.

According to David, the decision on the issue would hinge on Anne’s action, error, or omission was something done outside the scope of her employment.  If Anne was working on an assessment as an employee of a consulting firm at the time, then her action would be covered as an action done on behalf of the company, thus within the scope of her employment.

In order to be a QSA, the PCI Security Standards Council requires that you carry a minimum of $2 million in what is called Errors and Omissions insurance.  A mistake made by an employee of a QSA would be covered by this insurance policy, as it covers current and former employees, but the real question Anne is asking is if she should be worried about a former employer bringing a lawsuit against her for her actions.

Obviously, anything can happen.  An employee could carry their own insurance, but they would most likely need to get it before they started doing the assessments as the effective date matters on if claims would be paid.  A lawsuit of this nature would be rare (if not out of character), and any insurance that an individual QSA carried would not cover an intentional act.

If you have been put in this position by a former employer, I’d love to hear your story.

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: