The class-action lawsuit from two banks surrounding retail giant Target’s data breach experienced a bizarre twist late last month — just four days after the lawsuit was filed — New York-based Trustmark National Bank backed out of the suit, claiming it was baseless. Now, legal experts question if the second bank, Texas-based Green Bank will drop out of its own suit over liability of Target’s data breach.
The data breach occurred between November 27 — known as Black Friday, the big shopping bonanza following Thanksgiving — and December 15.
In the same lawsuit, Security firm Trustwave Holdings Inc. was also being sued over the massive breach. The two banks has claimed that Trustwave, Target’s alleged security assessor, failed to maintain the retailer’s ongoing compliance with the Payment Card Industry Data Security Standard and other industry standards from protecting personally identifiable information.
According to PCWorld.com, Both Target and Neiman Marcus confirmed malicious software on their point-of-sale (POS) systems intercepted data after payment cards were swiped while it was briefly held unencrypted in the device’s memory.
Reuters reported that Target, the third-largest U.S. retailer, already faces about a dozen lawsuits over the breach but this class-action suit is the first to focus on Trustwave.
In a letter posted on Trustwave’s website over the weekend just before the notice to dismissal was filed, CEO and president Robert McCullen wrote "Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."
Legal and cybersecurity experts weighing in on the about face from the banks say it is likely that Target or Trustwave pointed out to the plaintiffs that the claims they made in their motion are fake, according to bankinforsecurity.com. David Navetta, the co-founder of the Information Law Group, who is not involved in the case, told bankinfosecurity.com that “frivolous pleadings can result in penalties and other adverse consequences if there is no reasonable basis for the allegations.” Navetta and others also told Tracey Kitten’s in her article on the on the twist in the lawsuit on bankinfosecurity.com that he wouldn’t be surprised if Trustwave threatened to file commercial disparagement counterclaims. To the extent that false allegations impact Trustwave's business, they may have valid claims to go after the banks,” added Navetta.
Green Bank has not made a motion to dismiss the suit, and while Trustmark National Bank filed a motion to dismiss its claims, it has reserved the right to retile the suit.
"Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."
Another expert, Shirley Inscoe, a financial fraud expert and analyst with consultancy Aite, also told bankinfosecurity.com that while Trustwave may have provided Target with some sort of security service, penetration testing does not appear to have been one of them.
"The scan they did of Target's network was not a penetration test," Inscoe said. "Trustwave did not perform penetration testing services for Target, so I did not see them having liability as specifically charged in description of the suit. ... Most security vendors are very careful to word contracts to prevent themselves from having liability to their client in case incidents occur."
But attorney Dan Mitchell, who represented PATCO Construction in a high-profile account takeover dispute with People's United Bank, says plaintiffs have a fair amount of leeway when it comes to the claims they allege in suits.
"At this stage of the game in litigation, all you have to do is make good faith allegations; you don't have to have all of your evidence and proof," Mitchell says. "You have to have a good faith basis to make an allegation, but it's a low bar at this stage in the game, typically."