Legal and fraud experts are sizing up a class-action lawsuit filed by banking institutions against Target Corp. as well as Trustwave Holdings Inc., a qualified security assessor allegedly hired by the retailer before its massive point-of-sale network breach last year.

In seeking to recoup banks' expenses tied to the breach, the lawsuit, filed March 24 by Trustmark National Bank and Green Bank, claims, among other things, that Trustwave failed to maintain ongoing compliance with the Payment Card Industry Data Security Standard and other industry standards for protecting personally identifiable information and other sensitive cardholder data.

But financial fraud expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, questions how much liability a third-party QSA really has when it comes to a retail breach.

"By naming Trustwave along with Target, this lawsuit is a real stretch," he says. "Until it plays out, though, it's going to make security vendors everywhere pretty nervous."

Security vendors are mindful of the increasing breach risks their clients face, he adds.

"[They] are acutely aware of the possibility of making a mistake, overtly or by omission, in the work they do for a client, especially those operating in the litigation-happy U.S," Wills says. "The chances of such a mistake happening are actually very high, and they get higher every day as data breach threats become ever-more numerous and complex."

As a result, security vendors typically limit their breach liability in their contracts, carry insurance to address oversights or "mistakes," and are mindful to thoroughly document their actions when performing security assessments, he adds.

This is not the first time a third-party, or Trustwave, has been sued after a breach, says privacy attorney David Navetta, co-founder of the Information Law Group. But it is the first time a QSA has been sued by card issuers, he says.

"Ultimately, I think these cases are hard for plaintiffs like banks, because they don't have direct relationships with vendors like Trustwave," Navetta says. "Without a contract or some other independent legal obligation to link in to, it is difficult for plaintiffs to prevail."

The Allegations

Like other complaints recently filed against Target, including the class-action lawsuit filed earlier this month by Umpqua Bank, Trustmark National Bank and Green Bank claim Target is responsible for all expenses and fraud losses incurred by card-issuing institutions as a result of its 2013 breach (see Suits Against Target Make 'Statement').

The 48-page complaint, filed in the U.S. District Court for the Northern District of Illinois, also alleges Trustwave ultimately failed to ensure Target's POS network and other systems were secure.

"On information and belief, Trustwave scanned Target's computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target's computer systems," the complaint alleges. "Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target's systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave's watch."

In a response to Information Security Media Group on March 25, Trustwave states: "Our company's policy is not to confirm that any party is a customer, not to comment on specific customers and not to comment on pending legal matters."

A Target spokeswoman tells Information Security Media Group Target can't comment on pending litigation.

Lawsuit Sites Gonzalez Case

The complaint alleges, among other things, that Target failed to disclose its breach in a timely manner and had previously suffered breaches and been warned that its payments systems were vulnerable to attack.