Beginning Next Week: InsideCounsel will become part of Corporate Counsel. Bringing these two industry-leading websites together will now give you comprehensive coverage of the full spectrum of issues affecting today's General Counsel at companies of all sizes. You will continue to receive expert analysis on key issues including corporate litigation, labor developments, tech initiatives and intellectual property, as well as Women, Influence & Power in Law (WIPL) professional development content. Plus we'll be serving all ALM legal publications from one interconnected platform, powered by, giving you easy access to additional relevant content from other InsideCounsel sister publications.

To prevent a disruption in service, you will be automatically redirected to the new site next week. Thank you for being a valued InsideCounsel reader!


Bank pulls out of class-action lawsuit against retail giant Target

Texas-based Green Bank will drop out of its own suit over liability of Target’s data breach

The class-action lawsuit from two banks surrounding retail giant Target’s data breach experienced a bizarre twist late last month — just four days after the lawsuit was filed — New York-based Trustmark National Bank backed out of the suit, claiming it was baseless. Now, legal experts question if the second bank, Texas-based Green Bank will drop out of its own suit over liability of Target’s data breach.

The data breach occurred between November 27 — known as Black Friday, the big shopping bonanza following Thanksgiving — and December 15.

In the same lawsuit, Security firm Trustwave Holdings Inc. was also being sued over the massive breach. The two banks has claimed that Trustwave, Target’s alleged security assessor, failed to maintain the retailer’s ongoing compliance with the Payment Card Industry Data Security Standard and other industry standards from protecting personally identifiable information.

According to, Both Target and Neiman Marcus confirmed malicious software on their point-of-sale (POS) systems intercepted data after payment cards were swiped while it was briefly held unencrypted in the device’s memory.

Reuters reported that Target, the third-largest U.S. retailer, already faces about a dozen lawsuits over the breach but this class-action suit is the first to focus on Trustwave.

In a letter posted on Trustwave’s website over the weekend just before the notice to dismissal was filed, CEO and president Robert McCullen wrote "Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."

Legal and cybersecurity experts weighing in on the about face from the banks say it is likely that Target or Trustwave pointed out to the plaintiffs that the claims they made in their motion are fake, according to  David Navetta, the co-founder of the Information Law Group, who is not involved in the case, told that “frivolous pleadings can result in penalties and other adverse consequences if there is no reasonable basis for the allegations.” Navetta and others also told Tracey Kitten’s in her article on the on the twist in the lawsuit on that he wouldn’t be surprised if Trustwave threatened to file commercial disparagement counterclaims. To the extent that false allegations impact Trustwave's business, they may have valid claims to go after the banks,” added Navetta.

Green Bank has not made a motion to dismiss the suit, and while Trustmark National Bank filed a motion to dismiss its claims, it has reserved the right to retile the suit.

"Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."

Another expert, Shirley Inscoe, a financial fraud expert and analyst with consultancy Aite, also told that while Trustwave may have provided Target with some sort of security service, penetration testing does not appear to have been one of them.

"The scan they did of Target's network was not a penetration test," Inscoe said. "Trustwave did not perform penetration testing services for Target, so I did not see them having liability as specifically charged in description of the suit. ... Most security vendors are very careful to word contracts to prevent themselves from having liability to their client in case incidents occur."

But attorney Dan Mitchell, who represented PATCO Construction in a high-profile account takeover dispute with People's United Bank, says plaintiffs have a fair amount of leeway when it comes to the claims they allege in suits.

"At this stage of the game in litigation, all you have to do is make good faith allegations; you don't have to have all of your evidence and proof," Mitchell says. "You have to have a good faith basis to make an allegation, but it's a low bar at this stage in the game, typically."

Realted stories:

Target’s cybersecurity event may have been preventable

Inside: The GC’s role in ensuring compliance in the payment card processing environment

Facts and Figures: IT professionals wary of compliance data


Contributing Author

author image

Alexis Harrison

Alexis Harrison is a Connecticut-based writer and public relations professional whose career spans both print journalism and broadcast news. Alexis started her professional life as...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.