Target Breach: Another Suit Names TrustwaveBut Earlier Suit that Included Security Vendor is Dropped
Three Massachusetts banks have filed a new class-action lawsuit against Target Corp. and security firm Trustwave Holdings Inc., claiming the two firms should be held liable for expenses associated with the retailer's 2013 payments breach that exposed some 40 million credit and debit cards.
See Also: HIPAA Audits: A Revised Game Plan
The banks allege that Trustwave, as Target's security vendor, neglected to ensure and maintain Target's overall network security, which ultimately resulted in the breach.
Meanwhile, a separate class-action lawsuit filed by two other banks against Trustwave and Target has been dropped (see Target, Trustwave Sued Over Breach). New York-based Trustmark Bank and Texas-based Green Bank both voluntarily dismissed their class-action lawsuit without prejudice, meaning they can refile at any time (see New Twist in Target Lawsuit).
The Trustmark/Green Bank suit claimed Trustwave, as Target's alleged qualified security assessor, failed to maintain Target's ongoing compliance with the Payment Card Industry Data Security Standard and other industry standards for protecting personally identifiable information.
Neither bank could be reached for comment about the lawsuit dismissal.
But just days before the suit was voluntarily dismissed, Trustwave CEO Robert McCullen issued a statement saying the company had not been hired by Target to manage data security or IT obligations. "Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target," he said.
A Lawsuit Catalyst
When an event such as a massive and widely publicized data breach occurs, numerous class-action lawsuits, making various arguments and naming various defendants, can be expected, says attorney Dan Mitchell, who represented PATCO Construction in a high-profile account takeover dispute with People's United Bank.
He anticipates more suits will name Target as well as Trustwave, despite the dismissal of the Trustmark/Green Bank case.
Mitchell also notes that other class-action suits filed just against Target could still be amended to include Trustwave (see Suits Against Target Make 'Statement').
Even though Trustwave says it did not oversee data security or network monitoring for Target, it may have provided some other type of service relevant to card security at some other point in time, he points out.
Minnesota Statue Angle
In a class-action suit filed in Minnesota on March 28, HarborOne Bank, Mutual Bank and Pittsfield Cooperative Bank, all based in Massachusetts, claim Target and Trustwave, as the retailer's alleged provider of data security services, are responsible for paying banking institutions for damages and losses associated with Target's breach. They also claim both Target and Trustwave violated the Minnesota Plastic Card Security Act, which prohibits businesses from retaining certain types of payment card data for more than 48 hours.
That Minnesota statute provides banking institutions the right to attempt to recover breach-related costs by suing Minnesota businesses that inappropriately store card data and are breached, Target is based in Minneapolis.
None of the Massachusetts banks, nor the attorney representing them, could be reached for comment.
A class-action lawsuit filed March 17 by Umpqua Holdings Corp. against Target, but not Trustwave, makes the same claims for reimbursement under the Minnesota statute (see Bank Files Unique Suit Against Target).
Fraud expert Al Pascual, a lead analyst at consultancy Javelin Strategy & Research, says Trustmark Bank and Green Bank may be considering refiling their case to take advantage of the state's law as well. "It could very well be that they are considering the Minnesota statute as a better angle by which to find some success," he says.
While data breach-related civil suits often fail, he says, the Minnesota law "is tailor-made for just this kind of incident."
One financial fraud expert, however, questions whether any legal actions against Trustwave will prove successful.
"It's a stretch for me that a security vendor [Trustwave] would be found to have any liability toward anyone other than its own client [Target], let alone card issuers who might be affected in a breach," says financial fraud expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "The root problem here is not how well a security vendor performs its services. The problem is the mentality in the industry, of bashing the victim and conflating PCI compliance with actual security. They're not the same thing. How many breach victims have we seen now who were PCI compliant? We shouldn't even be having this conversation anymore."