Following a devastating breach that potentially exposed the personal information of 80 percent of South Carolina residents, a lawsuit has been filed against security firm Trustwave, two state agencies, Gov. Nikki Haley and James Etter, director of the state’s Department of Revenue.
First lodged on Oct. 31 by attorney John Hawkins, the suit was amended last Monday to include Trustwave, a Chicago-based vendor that conducts security compliance assessments, and the Department of State Information Technology (DSIT).
The suit stemmed from a hacker intrusion of the state Department of Revenue systems, which resulted in the compromise of 3.6 million Social Security numbers and 387,000 credit and debit card numbers of residents who filed South Carolina tax returns since 1998.
On Oct. 10, state officials were informed of the attacks, which were thought to have occurred on multiple occasions from August through September. Reports soon surfaced that the attackers were based overseas and used approved credentials to steal data.
Chicago-based Trustwave and DSIT were added to the suit based on allegations that the Department of Revenue “rejected the data protection services offered by DSIT” in favor of security services provided by Trustwave, according to Moore, S.C.-based The Hawkins Law Firm.
In the amended suit, Hawkins, a former South Carolina state senator, alleged that Trustwave – along with Haley, Etter and state agencies – violated the state’s breach notification law, and engaged in negligence and civil conspiracy. The complaint seeks unspecified damages.
Hawkins is seeking to have the suit elevated to class-action status, where victims’ complaints would be combined against the defendants.
A Trustwave spokesman told SCMagazine.com in an email on Monday that the company is not able “to confirm any specific customer relationships, to comment on specific customers or to comment on pending legal matters.”
A spokeswoman for South Carolina’s Department of Revenue emailed that the agency was closed for the observation of Veteran’s Day, but that it could respond to inquiries on Tuesday.
UPDATE: David Navetta, attorney and founding partner of Manhattan Beach, Calif.-based Information Law Group, which specializes in privacy and data security legal matters, told SCMagazine.com Monday that cases where lawsuits are filed against third-party service providers for breaches were rare.
“It’s interesting,” Navetta said. “We haven’t seen much of this, at least publicly speaking. The issue is whether the plaintiffs, or individuals, have a claim against a service contractor.”
Navetta said that more often a business or organization directly impacted by a breach, like the Department of Revenue in this case, might try to go after a third-party company for breach of contract, rather than the individuals impacted doing so.