Banks' suit in Target breach a 'wake up call' for companies hiring PCI auditors

Two banks have filed a lawsuit against Target and Trustwave Holdings, the retailer's security assessor

A lawsuit filed by two banks against Target and Trustwave Holdings, the retailer's security assessor and service provider, could lead to more rigorous evaluations of a company's security for protecting payment card data, experts say.

[Experts question security used in Target breach]

Trustmark National Bank and Green Bank N.A. sued Target and Trustwave in federal court in Chicago Monday, accusing them of negligence and other misdeeds in the massive data breach that occurred at Target stores last December.

The suit, which seeks class-action status, seeks damages from losses the banks suffered in canceling and reissuing credit and debit cards following the loss of 10s of millions of payment card numbers from Target's computer systems.

The lawsuit is one of the few times banks have tried to hold a security auditor partly responsible for a breach. In this case, the plaintiffs are suing Trustwave for failing to catch security problems while validating Target's compliance with the Payment Card Industry Data Security Standard.

The suit also accuses Trustwave of helping to make the breach possible by later failing to spot vulnerabilities in Target's network. Target hired Trustwave as its PC auditor and its security service provider.

"It's a significant development because auditors and security technology companies have never previously faced liability for failing to detect or mitigate breaches," Jacob Olcott, manager of the cybersecurity practice at consultancy Good Harbor Security Risk Management, said Wednesday.

"It certainly raises the bar for auditors, who may modify their auditing practices to enhance the scrutiny of the companies they audit."

Indeed, Lisa Sotto, chair of the global privacy and cybersecurity practice of the law firm Hunton & Williams, said qualified security assessors (QSAs) could take a step back and review how they conduct their audits.

"The QSAs would be wise to pay attention to this and to ensure that there's appropriate rigor in their assessments," Sotto said.

Some assessors are more "check the box" and less rigorous, while others are extremely thoroughly, she said. Less diligent QSAs will sometimes cut corners in order to keep prices competitive.

"The cost pressure results in probably less time than may be needed to do an appropriate assessment," Sotto said.

Avivah Litan, analyst for Gartner, recommended that companies hire separate vendors to do PCI audits and manage security. Hiring one company to do it all is "not a clean business practice," she said.

"Hopefully, this lawsuit will serve as a wake up call to companies that have to comply with PCI," Litan said. "They should use assessors that aren't selling security services and are really experts just in the auditing and are giving a very independent opinion."

[Target CIO resigns following breach]

The suit could also have an impact on negotiations between companies and security service providers, with each side becoming clearer where their responsibilities begin and end, Christine Ferrusi Ross, analyst for Forrester Research, said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecuritydata breachlegalfinanceindustry verticalsTrustwave Holdings

More about Forrester ResearchGartnerTrustmarkTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts