N.Y. Bank Drops Lawsuit Against Target and Trustwave

One of the two banks suing retailer Target and security vendor Trustwave in connection with the retailer's high-profile data breach has backed off.

Trustmark National Bank filed a notice of dismissal of its lawsuit on March 28 in U.S. District Court in Chicago. The claims of co-defendant Green Bank still stand, the court clerk's office said March 31. Trustmark is based in New York City, and Green Bank is in Houston.

Trustmark and Green Bank filed a lawsuit against Target and Trustwave on March 24. The lenders sought at least $5 million in damages from the two firms, arguing that they had been unfairly saddled with the cost of cancelling and reissuing compromised cards "even though they had nothing to do with causing the data breach and could not have avoided it."

But Trustwave says that it too had nothing to do with the breach. The company did not provide data security services to Target, Trustwave Chief Executive Robert McCullen said in an open letter postedon the company's website on Saturday.

"Contrary to the misstated allegations ... Target did not outsource its data security or IT obligations to Trustwave," McCullen wrote. "Trustwave did not monitor Target's network, nor did Trustwave process cardholder data to Target."

Lawyers for the two lenders did not immediately return calls seeking comment. Trustwave declined to comment further on the case and Target also declined to comment.

Hackers stole payment card information from 40 million credit and debit cards over the course of two weeks in November and December, along with other personal information from 70 million customer records. Investigators have said that hackers cracked Target's network by using the password of its heating and air-conditioning supplier, Fazio Mechanical Services.

The lawsuit filed by Trustmark and Green Bank claims that Target failed to prioritize data safety, leaving its system vulnerable to the attack. It also claims that the retailer outsourced data security duties to Trustwave, relying on the vendor to ensure that its systems met Payment Card Industry Data Security Standard requirements. The requirements outline the steps companies must take in order to prevent the theft of payment card data.