The lawsuit against South Carolina followingthe recent Department of Revenue data breach has been expanded to include data security company Trustwave.
John Hawkins, a former South Carolina state senator and attorney, filed an amendment to the lawsuit claiming Trustwave “violated and failed to comply with the duties imposed upon them to encrypt data and to expeditiously disclose the breach of security,” according to an Associated Press report. South Carolina hired Chicago-based Trustwave back in 2005 to secure its databases and meet its requirements under the Payment Card Industry’s PCI-DSS standard.
South Carolina officials announced Oct. 26 the massive data breach at the Department of Revenue which exposed 3.6 million personal income tax returns and 657,000 business filings. Along with Social Security numbers, some credit card numbers were exposed. While most of the credit card numbers were encrypted, none of the Social Security numbers were protected in any way.
“This is a huge development, because we learn for the first time that a large, multinational corporation had assumed the responsibility for securing this data,” Hawkins said in a statement.
Hawkins filed the original lawsuit against Gov. Nikki Haley, the Department of Revenue, and its director last week for negligence in protecting taxpayer data.
Trustwave did not respond to SecurityWeek‘s request for comment and the governor doesn’t seem to think the suit has any merit. “Nothing Mr. Hawkins does surprises the governor, nor does it change her statement from last week: There is a trial lawyer with a hand out and a tissue ready at any crisis,” a spokesperson for the governor told Greenville Online.
State officials said investigators believe the cyber-attacks began in late August, and the data was last stolen Sept. 13. The state first became aware of the breach on Oct. 10, when the Secret Service notified state law enforcement officials. The security hole has since been closed.
According to Associated Press, the Department of Revenue director Jim Etter had told state lawmakers during a hearing that Trustwave had scanned the systems on Sept. 14 and Oct. 14, and found no external vulnerabilities.
The Department of Revenue has been criticized for not using the IT monitoring services offered by State Budget and Control Board’s Division of State Information Technology and going to a third-party contractor instead. Department officials had claimed hiring a third-party contractor was necessary because DSIT didn’t offer PCI-DSS services to protect credit card data.
Hawkins has also added DSIT to the lawsuit and is seeking class-action status. The suit also cited the state for failing to notify the public of the breach in a timely manner.
“This hacking amounts to a ‘Cyber Hurricane’ and it’s a Category 5,” Hawkins said.
Under current state law, liability for public agencies in negligence cases are capped to $600,000, which means if the lawsuit does get class-action status, victims will get at most $0.16 in compensation. Hawkins is asking the court to consider the suit under a different law, which would allow up to $1,000 in compensation per person.