New Twist in Target Lawsuit

One Bank Backs Out of Case Against Retailer, Trustwave
New Twist in Target Lawsuit

Just four days after two banks filed a class action lawsuit against breached U.S. retailer Target Corp. and security firm Trustwave Holdings Inc. over liability in the wake of the retailer's data breach last year, one of the banks voluntarily dismissed its claims (see Target, Trustwave Sued Over Breach).

See Also: How is Your Organization Mitigating Account Takeover?

Now experts question whether the other bank that jointly filed the suit will soon dismiss its claims as well.

On March 24, New York-based Trustmark National Bank and Texas-based Green Bank filed suit to recover losses and expenses tied to Target's breach. In the suit, they claimed that Trustwave, as Target's alleged qualified security assessor, failed to maintain the retailer's ongoing compliance with the Payment Card Industry Data Security Standard and other industry standards for protecting personally identifiable information.

But on March 28, Trustmark National Bank dismissed its claims against the two companies, reserving the opportunity to refile the suit. Trustmark executives could not be reached for comment.

No motion to dismiss has yet been made by Green Bank, and executives of that bank also could not be reached for comment.

The notice to dismiss came just before Trustwave CEO Robert McCullen issued a statement over the weekend saying that recent claims made against his company related to Target were "without merit." He also noted that Trustwave was looking forward to "vigorously defending ourselves in court against these baseless allegations."

"Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave," McCullen said in the March 29 statement. "Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."

Assessing the Circumstances

Cybersecurity and privacy attorney David Navetta, the co-founder of the Information Law Group, who's not involved in the case, says it's likely that Target or Trustwave pointed out to the plaintiffs that the claims they made in their motion are false.

"Frivolous pleadings can result in penalties and other adverse consequences if there is no reasonable basis for the allegations," he says. "Moreover, I would not be surprised if Trustwave threatened to file commercial disparagement counterclaims. To the extent that false allegations impact Trustwave's business, they may have valid claims to go after the banks."

Navetta and other observers are questioning why Trustwave was named in the lawsuit.

"I do find that in many cases these types of cases are filed quickly by general commercial litigation firms that don't really understand technology or security, let alone the details of PCI and the role of a QSA," he says. "They may have just been mistaken in their understanding of Trustwave's role here."

Shirley Inscoe, a financial fraud expert and analyst with consultancy Aite, says that while Trustwave may have provided Target with some sort of security service, penetration testing does not appear to have been one of them.

"The scan they did of Target's network was not a penetration test," she says. "Trustwave did not perform penetration testing services for Target, so I did not see them having liability as specifically charged in description of the suit. ... Most security vendors are very careful to word contracts to prevent themselves from having liability to their client in case incidents occur."

Good Faith Allegations?

But attorney Dan Mitchell, who represented PATCO Construction in a high-profile account takeover dispute with People's United Bank, says plaintiffs have a fair amount of leeway when it comes to the claims they allege in suits.

"At this stage of the game in litigation, all you have to do is make good faith allegations; you don't have to have all of your evidence and proof," Mitchell says. "You have to have a good faith basis to make an allegation, but it's a low bar at this stage in the game, typically."

Accusing Trustwave of providing certain security services to Target is not out of line at this point in the litigation process, he adds. "That happens all the time in litigation. ... It's not unusual to make claims that have a lot left to be proved," Mitchell says.

He also says that just because Trustmark backed out as a plaintiff in the class action suit does not mean the suit will be dismissed entirely.

"This is just one of the named plaintiffs," Mitchell explains. "The fact that one decides not to go forward does not mean that the action changes. Other than the fact that Trustmark is no longer named in the case, there really aren't a whole lot of consequences. And who knows why they decided to remove their name? ... To me what is interesting is that it's a class action. Why would banks want to proceed as a class action in this case? ... If you have a lot at stake, you don't typically want to be a part of a class action."


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.