Just four days after two banks filed a class action lawsuit against breached U.S. retailer Target Corp. and security firm Trustwave Holdings Inc. over liability in the wake of the retailer's data breach last year, one of the banks voluntarily dismissed its claims (see Target, Trustwave Sued Over Breach).
Now experts question whether the other bank that jointly filed the suit will soon dismiss its claims as well.
On March 24, New York-based Trustmark National Bank and Texas-based Green Bank filed suit to recover losses and expenses tied to Target's breach. In the suit, they claimed that Trustwave, as Target's alleged qualified security assessor, failed to maintain the retailer's ongoing compliance with the Payment Card Industry Data Security Standard and other industry standards for protecting personally identifiable information.
But on March 28, Trustmark National Bank dismissed its claims against the two companies, reserving the opportunity to refile the suit. Trustmark executives could not be reached for comment.
No motion to dismiss has yet been made by Green Bank, and executives of that bank also could not be reached for comment.
The notice to dismiss came just before Trustwave CEO Robert McCullen issued a statement over the weekend saying that recent claims made against his company related to Target were "without merit." He also noted that Trustwave was looking forward to "vigorously defending ourselves in court against these baseless allegations."
"Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave," McCullen said in the March 29 statement. "Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."
Assessing the Circumstances
Cybersecurity and privacy attorney David Navetta, the co-founder of the Information Law Group, who's not involved in the case, says it's likely that Target or Trustwave pointed out to the plaintiffs that the claims they made in their motion are false.
"Frivolous pleadings can result in penalties and other adverse consequences if there is no reasonable basis for the allegations," he says. "Moreover, I would not be surprised if Trustwave threatened to file commercial disparagement counterclaims. To the extent that false allegations impact Trustwave's business, they may have valid claims to go after the banks."
Navetta and other observers are questioning why Trustwave was named in the lawsuit.
"I do find that in many cases these types of cases are filed quickly by general commercial litigation firms that don't really understand technology or security, let alone the details of PCI and the role of a QSA," he says. "They may have just been mistaken in their understanding of Trustwave's role here."
Shirley Inscoe, a financial fraud expert and analyst with consultancy Aite, says that while Trustwave may have provided Target with some sort of security service, penetration testing does not appear to have been one of them.
"The scan they did of Target's network was not a penetration test," she says. "Trustwave did not perform penetration testing services for Target, so I did not see them having liability as specifically charged in description of the suit. ... Most security vendors are very careful to word contracts to prevent themselves from having liability to their client in case incidents occur."
Good Faith Allegations?
But attorney Dan Mitchell, who represented PATCO Construction in a high-profile account takeover dispute with People's United Bank, says plaintiffs have a fair amount of leeway when it comes to the claims they allege in suits.
"At this stage of the game in litigation, all you have to do is make good faith allegations; you don't have to have all of your evidence and proof," Mitchell says. "You have to have a good faith basis to make an allegation, but it's a low bar at this stage in the game, typically."
Accusing Trustwave of providing certain security services to Target is not out of line at this point in the litigation process, he adds. "That happens all the time in litigation. ... It's not unusual to make claims that have a lot left to be proved," Mitchell says.
He also says that just because Trustmark backed out as a plaintiff in the class action suit does not mean the suit will be dismissed entirely.
"This is just one of the named plaintiffs," Mitchell explains. "The fact that one decides not to go forward does not mean that the action changes. Other than the fact that Trustmark is no longer named in the case, there really aren't a whole lot of consequences. And who knows why they decided to remove their name? ... To me what is interesting is that it's a class action. Why would banks want to proceed as a class action in this case? ... If you have a lot at stake, you don't typically want to be a part of a class action."