A lawsuit filed by two banks against Target and Trustwave Holdings, the retailer's security assessor and service provider, could lead to more rigorous evaluations of a company's security for protecting payment card data, experts say.
Trustmark National Bank and Green Bank N.A. sued Target and Trustwave in federal court in Chicago Monday, accusing them of negligence and other misdeeds in the massive data breach that occurred at Target stores last December.
The suit, which seeks class-action status, seeks damages from losses the banks suffered in canceling and reissuing credit and debit cards following the loss of 10s of millions of payment card numbers from Target's computer systems.
The lawsuit is one of the few times banks have tried to hold a security auditor partly responsible for a breach. In this case, the plaintiffs are suing Trustwave for failing to catch security problems while validating Target's compliance with the Payment Card Industry Data Security Standard.
The suit also accuses Trustwave of helping to make the breach possible by later failing to spot vulnerabilities in Target's network. Target hired Trustwave as its PC auditor and its security service provider.
"It's a significant development because auditors and security technology companies have never previously faced liability for failing to detect or mitigate breaches," Jacob Olcott, manager of the cybersecurity practice at consultancy Good Harbor Security Risk Management, said Wednesday.
"It certainly raises the bar for auditors, who may modify their auditing practices to enhance the scrutiny of the companies they audit."
Indeed, Lisa Sotto, chair of the global privacy and cybersecurity practice of the law firm Hunton & Williams, said qualified security assessors (QSAs) could take a step back and review how they conduct their audits.
"The QSAs would be wise to pay attention to this and to ensure that there's appropriate rigor in their assessments," Sotto said.
Some assessors are more "check the box" and less rigorous, while others are extremely thoroughly, she said. Less diligent QSAs will sometimes cut corners in order to keep prices competitive.
"The cost pressure results in probably less time than may be needed to do an appropriate assessment," Sotto said.
Avivah Litan, analyst for Gartner, recommended that companies hire separate vendors to do PCI audits and manage security. Hiring one company to do it all is "not a clean business practice," she said.
"Hopefully, this lawsuit will serve as a wake up call to companies that have to comply with PCI," Litan said. "They should use assessors that aren't selling security services and are really experts just in the auditing and are giving a very independent opinion."
The suit could also have an impact on negotiations between companies and security service providers, with each side becoming clearer where their responsibilities begin and end, Christine Ferrusi Ross, analyst for Forrester Research, said.