Two banks filed a class-action lawsuit against Target and information security vendor Trustwave, alleging each played a role in the retailer’s lack of compliance with many widely-accepted regulations and standards, including PCI DSS.
While the count of lawsuits against Target from customers and banks are approaching triple digits, this looks to be the first attempt to lasso Target’s third-party vendor, Trustwave, into the mix.
The suit, filed by Trustmark National Bank and Green Bank in U.S. District Court in Northern Illinois, alleges, “upon information and belief,” that Target hired Trustwave to protect and monitor the retailer’s systems but Trustwave “failed to live up to its promises, or to meet industry standards.”
The Consumer Bankers Association said the cost of card replacements for its members, and other expenses, stand at about $172 million. The Credit Union National Association said its members have shelled out $30.6 million.
Trustwave told Advisen its policy “is not to confirm that any party is a customer, not to comment on specific customers and not to comment on pending legal matters.” The Chicago-based company also gave no comment on its possession of cyber or other insurance to cover or alleviate litigation costs.
Trustwave allegedly told Target as late as last September that there were no vulnerabilities in Target’s computer system. The suit furthermore claims Trustwave was hired to detect breaches of personal identifiable information and other data but the late 2013 data breach “continued for nearly three weeks on Trustwave’s watch.’
The Target data breach is the largest ever retail breach according to Advisen Loss Insight data. After initially announcing 40 million customer debit and credit cards were exposed, Target additionally told the public as many as 70 million more customers had personal information stolen as part of the November 27 – December 15 breach.
Trustmark and Green allege Target did not need warnings from the credit card industry and others pertaining to the vulnerabilities of its point-of-sale system against malware. The retailer had suffered data breaches before late last year but “dis not correct the problems.”
“The data breach would not have happened if Target had actually followed the industry standards and best practices as it claimed,” reads the lawsuit.
Trustmark and Green banks are asking for a certification of a class, compensatory damages, statutory damages, legal costs and expenses and injunction preventing Target from telling customers it adheres to “industry standard methods to protect [sensitive customer] information.”