“It isn’t just Trustwave and Target on trial in these lawsuits, the value businesses put on cybersecurity is really the bigger issue.
The lawsuit alleges that Target knew their systems were vulnerable in 2007, but resisted making improvements due to costs and ultimately outsourced data security to Trustwave. This raises interesting questions because all businesses have security vulnerabilities; at what point does vulnerability cross the threshold and become negligence?
In the security world it’s well understood that PCI compliance does not equal security. The outcome of these lawsuits have the potential to drive this fact home for the general public. Hopefully, it will also serve as a wake-up call for business leaders to reassess their approach to security risks and reevaluate their security investment strategy.”
From Craig Young, security researcher for Tripwire: “It will be interesting to see which factors the judge and jury consider when determining whether Trustwave should be held accountable for some portion of damages resulting from the Target breach. If the courts were to assign blame solely to Trustwave, security auditors could start to be viewed as another type of insurance policy against data breaches.”
Lieberman Software Corporation, Calum MacLeod, VP of EMEA said: “So why do they stop at Trustwave? Why not sue all the security vendors who supply Target. Surely they are all culpable. What this should do is serve as a wakeup call that ticking a compliance box is no longer sufficient. The problem with compliance is that those who are required to comply will focus on minimum requirements. Maybe finally someone will realize that ticking a box in an RFP is not the answer and maybe it’s time for vendors in the security space to modify their language. Phrases like Stop Advanced Attacks, Total Security for Business, Avoid Breaches, Achieve Compliance, and Stop Insider Threats, and any such claims should all come with a disclaimer that says “This has been written by our Marketing Department and no liability is accepted for the complete inaccuracy of such statements”.“