Digital Transactions Authoritative, insightful and timely information for payments professionals
Two banks that sued Target Corp. and data-security services provider Trustwave Holdings Inc. in the wake of Target’s massive data breach have withdrawn their federal lawsuit after filing it only a week ago, leaving payments-industry observers wondering why they brought the action in the first place.
In separate motions filed Friday and Monday, New York City-based Trustmark National Bank and Houston-based Green Bank N.A. did not state their reasons requesting dismissal of the lawsuit they filed March 24 in U.S. District Court in Chicago. Two of their attorneys did not respond to Digital Transactions News requests for comment. Both banks filed for dismissal without prejudice, which means they could return to court with an amended complaint.
The banks said some of their credit and debit cards were compromised in the breach that Target confirmed in December, a breach that affected 40 million cards, and claimed Target and Chicago-based Trustwave were negligent in preventing the breach. While Target already faces about 100 lawsuits resulting from the breach, the Trustmark-Green Bank suit, which sought class-action status, was notable because it also took the rare step of trying to place legal liability on a provider of Payment Card Industry data-security standard (PCI) services such as Trustwave.
The problem with that strategy, according to payments-industry attorney Anita Boomstein, a partner at Hughes Hubbard & Reed LLP in New York, is that the law does not extend liability to a service provider such as Trustwave for fraud and related losses suffered by third parties, such as card issuers, after a data breach at the provider’s client merchants.
“Whether Trustwave has any liability for the results of its audit is only a matter between Trustwave and its merchants,” says Boomstein. “I don’t believe any bank has a cause of action against Trustwave.” She adds: “They [providers] have a duty to the person that is using their service. That’s the fundamental problem the plaintiffs face. Trustwave had no duty to them.”
The lawsuit alleged that Target “outsourced its data-security obligations to Trustwave,” the largest company in the relatively new industry of PCI services providers. Trustwave gave Target a passing grade after scanning its systems last Sept. 30, the suit claimed.
Trustwave did not comment until Saturday, when chief executive Robert J. McCullen posted a brief statement on the company’s Web site saying the lawsuit was “without merit” and disputing its claims about what services, if any, Trustwave provided to Target. “Contrary to the misstated allegations in the plaintiffs’ complaints, Target did not outsource its data-security or IT obligations to Trustwave,” McCullen said. “Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target.”
A Trustwave spokesperson said the company would not comment beyond McCullen’s statement.
