Technology Blog »

Insurance Company Sues Security Firm After Breach – Who is Accountable?


Heartland lawsuit

All the way back in January of 2009, Heartland Payment Systems announced that the company had been the victim of a security breach that had occurred in the previous year. The hackers had targeted the company’s processing systems, and they managed to steal the information from an estimated 100 million credit cards, which at the time was the largest theft of card data ever reported. Now nearly a decade later, Heartland has filed a lawsuit for $30 million against the security firm that failed to detect the Malware that led to the breach. The delayed lawsuit raises a lot of questions, chief among them: who can and should be held accountable for similar breaches in the future?

The security firm in question is called Trustware. The firm was contracted by Heartland to provide cybersecurity monitoring for the company and to ensure Heartland was meeting PCI Data Security Standard requirements. After the breach, an outside investigation by credit card giant Visa found that Heartland had been failing to meet their PCI requirements. It is the basis of this investigation that Heartland has filed their lawsuit against Trustware, arguing that Trustware was negligent in their duties to audit and monitor Heartland’s system.

Since the announcement of the lawsuit, Trustware has been protesting the charges filed against them. The security firm has argued that an audit at one point in time cannot ensure that a system will always remain secure, and even with an audit a system cannot be 100% protected from breaches. Trustware argues that they are not accountable for the breach, claiming that their role of monitoring security is not the same as managing security.

It’s unclear what the outcome of the trial will be. The lawsuit can be viewed from many angles, depending on how you view the issues regarding security monitoring vs. managing, how reliable an audit should be, and ultimately how accountable an outside party can be for a company’s security breach. What is clear is that the Heartland breach from 10 years ago should serve as a lesson for companies today on the importance of ensuring your system has the best security possible, and that the company should always make clear who is and isn’t liable in the case of a possible breach.