Target, Trustwave Sued Over BreachExperts Analyze Unusual Details of Case Filed by Banks
Legal and fraud experts are sizing up a class-action lawsuit filed by banking institutions against Target Corp. as well as Trustwave Holdings Inc., a qualified security assessor allegedly hired by the retailer before its massive point-of-sale network breach last year.
See Also: HIPAA Audits: A Revised Game Plan
In seeking to recoup banks' expenses tied to the breach, the lawsuit, filed March 24 by Trustmark National Bank and Green Bank, claims, among other things, that Trustwave failed to maintain ongoing compliance with the Payment Card Industry Data Security Standard and other industry standards for protecting personally identifiable information and other sensitive cardholder data.
But financial fraud expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, questions how much liability a third-party QSA really has when it comes to a retail breach.
"By naming Trustwave along with Target, this lawsuit is a real stretch," he says. "Until it plays out, though, it's going to make security vendors everywhere pretty nervous."
Security vendors are mindful of the increasing breach risks their clients face, he adds.
"[They] are acutely aware of the possibility of making a mistake, overtly or by omission, in the work they do for a client, especially those operating in the litigation-happy U.S," Wills says. "The chances of such a mistake happening are actually very high, and they get higher every day as data breach threats become ever-more numerous and complex."
As a result, security vendors typically limit their breach liability in their contracts, carry insurance to address oversights or "mistakes," and are mindful to thoroughly document their actions when performing security assessments, he adds.
This is not the first time a third-party, or Trustwave, has been sued after a breach, says privacy attorney David Navetta, co-founder of the Information Law Group. But it is the first time a QSA has been sued by card issuers, he says.
"Ultimately, I think these cases are hard for plaintiffs like banks, because they don't have direct relationships with vendors like Trustwave," Navetta says. "Without a contract or some other independent legal obligation to link in to, it is difficult for plaintiffs to prevail."
Like other complaints recently filed against Target, including the class-action lawsuit filed earlier this month by Umpqua Bank, Trustmark National Bank and Green Bank claim Target is responsible for all expenses and fraud losses incurred by card-issuing institutions as a result of its 2013 breach (see Suits Against Target Make 'Statement').
The 48-page complaint, filed in the U.S. District Court for the Northern District of Illinois, also alleges Trustwave ultimately failed to ensure Target's POS network and other systems were secure.
"On information and belief, Trustwave scanned Target's computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target's computer systems," the complaint alleges. "Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target's systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave's watch."
In a response to Information Security Media Group on March 25, Trustwave states: "Our company's policy is not to confirm that any party is a customer, not to comment on specific customers and not to comment on pending legal matters."
A Target spokeswoman tells Information Security Media Group Target can't comment on pending litigation.
Lawsuit Cites Gonzalez Case
The complaint alleges, among other things, that Target failed to disclose its breach in a timely manner and had previously suffered breaches and been warned that its payments systems were vulnerable to attack.
It also brings into question Target's ongoing security practices. The suit alleges a Target connection to the Albert Gonzalez-led mega-breach that impacted an estimated 170 million payment cards back in 2008.
"In 2007, a computer hacker named Albert Gonzalez stole and resold more than 170 million card and ATM numbers from numerous retailers, including Target," the complaint alleges. "Target attempted to conceal the fact that it had been subject to the Gonzalez attack, and only later disclosed that its customers' information had been compromised after a blogger reported that Target had been an unnamed retailer described in an indictment against Gonzalez filed by law enforcement."
Following the Gonzalez scandal, data security experts warned that yet another potential data breach of Target's POS system was likely, and they provided information on how to prevent such a breach, the complaint contends. "Experts also warned that failure to implement preventative measures could result in an even larger data breach."
But the complaint claims Target ignored those warnings, which ultimately resulted in the massive breach it suffered in 2013, which exposed some 40 million debit and credit cards as well as other sensitive information about an additional 70 million of its customers.