Editor's note: This article has been revised and updated to include a statement issued by the defendant, Trustwave, responding to the insurer's legal action.
Two insurance companies have joined together to ask a Cook County judge to order a data security firm to pay $30 million to reimburse the insurers for funds they had to pay out to settle claims resulting from a data breach at Heartland Payment Systems.
Lexington Insurance Company and Beazley Insurance Company filed a complaint June 28 in Cook County Circuit Court against Illinois-based Trustwave Holdings, Inc., and its corporate affiliates, saying Trustwave was ultimately responsible for the 2009 data breach that exposed Heartland, a payment processing firm, to millions of dollars in liability.
According to the complaint, Heartland signed its first sales agreement with Trustwave in 2005 for annual compliance assessment of Heartland’s Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures. Trustwave performed monthly vulnerability scans through 2006 and 2007, then shifted to a Compliance Validation services for PCI DSS contract, which added remote validation, network penetration and on-site validation services.
The complaint said the 2009 data breach can be traced to July 24, 2007, when malicious code was installed on Heartland’s system via an SQL injection attack targeted at collecting magnetic strip sequences. Malware was installed May 14, 2008. According to Lexington and Beazley, Trustwave’s assessments during this time didn’t result in a report of malicious code or malware on Heartland systems.
According to Lexington and Beazley, Trustwave certified Heartland’s systems as compliant with PCI DSS standards in both 2007 and 2008.
As a result of the breach going undetected, per the complaint, hackers accessed roughly 100 million credit and debit card numbers from more than 650 financial service companies, exposing Heartland to more than $148 million settlement fees for its liability, damages, remediation costs and other expenses. Further, Heartland defended itself in at least 16 consumer class action complaints, 14 class actions from financial institutions and four securities class actions.
After consolidation of the financial institution complaints, Heartland was accused of being liable for failing to maintain PCI DSS compliance. Visa conducted an independent investigation showing eight PCI DSS violations despite Trustwave’s clean compliance reports. Ultimately Visa asserted Trustwave incorrectly certified Heartland as PCI DSS compliant and prohibited Heartland from employing Trustwave.
Among the areas Visa said Trustwave overlooked were Heartland’s failure to maintain a firewall, using vendor-supplied defaults for passwords and other security parameters, insufficient protection of stored data, failure to develop and maintain secure systems and applications, data access restrictions shortcomings and failure to assign unique identification to each person with computer access, monitor all access to network resources and cardholder data and regularly test security systems and processes.
By March 3, 2015, the litigation was resolved through settlements or dismissals. Lexington paid $20 million to Heartland while Beazley reimbursed $10 million in accordance with their insurance policies. The companies are accusing Trustwave of breaching the 2005 and 2007 agreements with Heartland, as well as breach of express warranty and breach of contractual indemnification related to both contracts.
The complaint also accuses Trustwave of negligent misrepresentation and gross negligence. In addition to a jury trial, Lexington and Beazley seek at least $30 million “for the liabilities, damages, remediation costs, fees and other consequential damages they sustained.”
The insurance companies are represented in the matter by Gordon & Rees LLP, of Chicago.
In response to the filing of the lawsuit, Trustwave issued the following statement:
"Trustwave filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their time-barred and unwarranted attempt to recoup the insurance payments they made as coverage for a 2008 data breach at Heartland. The insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter.
"Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached. Trustwave did not manage Heartland’s information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave.
"The insurers’ demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously."