But Circuit Judge G. Thomas Cooper said during a hearing in Columbia he needed more time to consider requests to dismiss the case against Haley’s office, the Department of Revenue, South Carolina’s Division of Information Technology and a private data security company.
Former state Sen. John Hawkins filed the lawsuit last year after officials announced a cyber-thief had hacked into the revenue agency’s servers and taken unencrypted data from 3.8 million individual tax filers and 700,000 businesses in the nation’s largest hacking of a state agency.
The data was extracted Sept. 13 – the last of several system intrusions since August. Jim Etter, who resigned as revenue director at the end of last year, has said state officials didn’t learn of the breach until Oct. 10.
The lawsuit accuses state agencies of failing to protect taxpayers and conspiring to keep news of the hacking from the public. Hawkins later amended his lawsuit to include Trustwave – an international technology company the state has used since 2005 – and the state information technology agency, saying both entities didn’t safeguard taxpayers’ information.
Trustwave attorney Jimmy Long said his client isn’t part of South Carolina’s government and couldn’t have engaged in any conspiracy.
Bobby Stepp, an attorney for the information technology agency, said his client was basically only a “landlord” for the Revenue Department’s servers, which it doesn’t own or maintain.
“We don’t really think we’re a player here,” Stepp said. “We have no ability to control what goes on within those servers.”
Butch Bowers, a lawyer for Haley’s office and the Revenue Department, said Hawkins’ claims should be dismissed because he couldn’t show that any taxpayers had so far been harmed financially by the hacking.
“The state has spent in excess of $12 million to remedy any prospective harm,” Bowers said. “The government ... has stood up and said: Look, this happened. We’re going to do everything in our power to ensure that the citizens of South Carolina are protected.”
The Revenue Department has been approved for a $20 million loan from the state’s insurance reserve fund to pay for the government’s hacking response. The largest chunk of that – $12 million – has been paid to the credit bureau Experian, which is providing a year’s worth of state-funded credit monitoring to any taxpayers who sign up by the end of March. A state lawmaker has also proposed extending that state-paid credit monitoring to a decade.
Attorneys for the state say Hawkins’ lawsuit should be halted while law enforcement continues its criminal investigation. Cooper didn’t say when he would rule on the dismissal motions but gave all attorneys 10 days to submit proposed orders.
Hawkins is also seeking class-action status for the lawsuit, saying he hopes to represent all taxpayers whose Social Security numbers and credit card information was compromised.
State law limits the liability of public agencies in negligence cases to $600,000 per occurrence. That means if a judge considered the hacking to have been a single event, and, millions sued the state and won, their takeaway would be pennies apiece.
Hawkins argues his case is covered by a separate law that provides a fine of up to $1,000 for each resident whose information is breached. Whatever a judge decides on that front, the liability limit does not apply to private companies like Trustwave.