A lawsuit has been filed against security firm Trustwave following a devastating breach that potentially exposed the personal information of 80 percent of South Carolina residents. .
The suit, lodged on 31 October by attorney John Hawkins also against two state agencies, state Governor Nikki Haley and James Etter, director of the state's Department of Revenue, was amended Monday to include Trustwave and the Department of State Information Technology (DSIT).
The suit stemmed from a hacker intrusion of the state Department of Revenue systems, which resulted in the compromise of 3.6 million Social Security numbers and 387,000 credit and debit card numbers of residents who filed South Carolina tax returns since 1998.
On 10 October, state officials were informed of the attacks, which were thought to have occurred on multiple occasions from August through September. Reports soon surfaced that the attackers were based overseas and used approved credentials to steal data.
Chicago-based Trustwave and DSIT were added to the suit based on allegations that the Department of Revenue “rejected the data protection services offered by DSIT” in favor of security services provided by Trustwave, according to Moore, S.C.-based The Hawkins Law Firm.
In the amended suit, Hawkins, a former South Carolina state senator, alleged that Trustwave – along with Haley, Etter and state agencies – violated the state's breach notification law, and engaged in negligence and civil conspiracy. The complaint seeks unspecified damages.
Hawkins is seeking to have the suit elevated to class-action status, where victims' complaints would be combined against the defendants.
A Trustwave spokesman told SC the company is not able "to confirm any specific customer relationships, to comment on specific customers or to comment on pending legal matters."
A spokeswoman for South Carolina's Department of Revenue emailed that the agency was closed for the observation of Veteran's Day, but that it could respond to inquiries on Tuesday.
David Navetta, attorney and founding partner of Manhattan Beach, told SC cases where lawsuits are filed against third-party service providers for breaches were rare.
"We haven't seen much of this, at least publicly speaking. The issue is whether the plaintiffs, or individuals, have a claim against a service contractor," Navetta said.
Navetta said that more often an organisation directly impacted by a breach, like the Department of Revenue in this case, might try to go after a third-party company for breach of contract, rather than the individuals impacted doing so.