New Twist in Target Lawsuit

One Bank Backs Out of Case Against Retailer, Trustwave

By , March 31, 2014.
New Twist in Target Lawsuit
 

Just four days after two banks filed a class action lawsuit against breached U.S. retailer Target Corp. and security firm Trustwave Holdings Inc. over liability in the wake of the retailer's data breach last year, one of the banks voluntarily dismissed its claims (see Target, Trustwave Sued Over Breach).

See Also: Malware & Spear Phishing: How to Defend the Enterprise

Now experts question whether the other bank that jointly filed the suit will soon dismiss its claims as well.

On March 24, New York-based Trustmark National Bank and Texas-based Green Bank filed suit to recover losses and expenses tied to Target's breach. In the suit, they claimed that Trustwave, as Target's alleged qualified security assessor, failed to maintain the retailer's ongoing compliance with the Payment Card Industry Data Security Standard and other industry standards for protecting personally identifiable information.

But on March 28, Trustmark National Bank dismissed its claims against the two companies, reserving the opportunity to refile the suit. Trustmark executives could not be reached for comment.

No motion to dismiss has yet been made by Green Bank, and executives of that bank also could not be reached for comment.

The notice to dismiss came just before Trustwave CEO Robert McCullen issued a statement over the weekend saying that recent claims made against his company related to Target were "without merit." He also noted that Trustwave was looking forward to "vigorously defending ourselves in court against these baseless allegations."

"Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave," McCullen said in the March 29 statement. "Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."

Assessing the Circumstances

Cybersecurity and privacy attorney David Navetta, the co-founder of the Information Law Group, who's not involved in the case, says it's likely that Target or Trustwave pointed out to the plaintiffs that the claims they made in their motion are false.

"Frivolous pleadings can result in penalties and other adverse consequences if there is no reasonable basis for the allegations," he says. "Moreover, I would not be surprised if Trustwave threatened to file commercial disparagement counterclaims. To the extent that false allegations impact Trustwave's business, they may have valid claims to go after the banks."

Navetta and other observers are questioning why Trustwave was named in the lawsuit.

"I do find that in many cases these types of cases are filed quickly by general commercial litigation firms that don't really understand technology or security, let alone the details of PCI and the role of a QSA," he says. "They may have just been mistaken in their understanding of Trustwave's role here."

Shirley Inscoe, a financial fraud expert and analyst with consultancy Aite, says that while Trustwave may have provided Target with some sort of security service, penetration testing does not appear to have been one of them.

"The scan they did of Target's network was not a penetration test," she says. "Trustwave did not perform penetration testing services for Target, so I did not see them having liability as specifically charged in description of the suit. ... Most security vendors are very careful to word contracts to prevent themselves from having liability to their client in case incidents occur."

Good Faith Allegations?

But attorney Dan Mitchell, who represented PATCO Construction in a high-profile account takeover dispute with People's United Bank, says plaintiffs have a fair amount of leeway when it comes to the claims they allege in suits.

"At this stage of the game in litigation, all you have to do is make good faith allegations; you don't have to have all of your evidence and proof," Mitchell says. "You have to have a good faith basis to make an allegation, but it's a low bar at this stage in the game, typically."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Dridex Banking Trojan: Worldwide Threat

Attackers are targeting online banking users' account information worldwide through sophisticated...

Latest Tweets and Mentions

ARTICLE Dridex Banking Trojan: Worldwide Threat

Attackers are targeting online banking users' account information worldwide through sophisticated...

The ISMG Network