An Upstate law firm has filed a class-action lawsuit against the South Carolina Department of Revenue, its director Jim Etter, and Governor Nikki Haley over a massive data breach that officials say resulted in more than 3.6 million Social Security numbers being compromised.
The lawsuit filed by attorney (and former state Sen.) John Hawkins claims the Department of Revenue (DOR) was grossly negligent for failing to provide a “reasonable standard of care” in its database. The lawsuit claims DOR was not compliant with state law requiring sensitive personal information to be encrypted and that it committed a “civil conspiracy” by not notifying the public about the stolen data for more than two weeks after it was first discovered on October 10.
Hawkins says, “There were cost-effective, non-cumbersome steps that could have been taken by these defendants but for whatever reason they were not taken. And the basis of the lawsuit is that the defendants were grossly negligent in their failure to prevent what they should have seen coming and that they failed to notify the public in a timely manner.”
Hawkins is a former state GOP senator who tried unsuccessfully to run for his former seat earlier this year. He was defeated in the June Republican primary by the current incumbent Lee Bright. Haley endorsed Bright in that race.
He filed the suit on behalf of 60-year-old Phillip Morgan, a Spartanburg County native. The suit cites a section of South Carolina law that requires state agencies to notify affected South Carolinians when there is a security breach. Specifically, the law reads, “The disclosure must be made in the most expedient time possible and without unreasonable delay.”
However, that law also has an exception, “The notification required by this section may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. The notification required by this section must be made after the law enforcement agency determines that it no longer compromises the investigation.” State Law Enforcement Division Chief Mark Keel has said law enforcement decided when to make the breach public.
The law further states that an agency which violates this notification requirement faces a fine of up to $1,000 fine per affected resident, plus attorney’s fees and court costs.
Ed Jensen in Spartanburg contributed to this report.