COLUMBIA, SC (AP) - Gov. Nikki Haley and the state's former revenue director were dismissed from
a lawsuit Thursday over a massive security breach at South Carolina's tax
collection agency.
But Circuit Judge G. Thomas Cooper said during a hearing in Columbia he
needed more time to consider requests to dismiss the case against Haley's
office, the Department of Revenue, South Carolina's Division of Information
Technology and a private data security company.
Former state Sen. John Hawkins filed the lawsuit last year after officials
announced a cyber-thief had hacked into the revenue agency's servers and taken
unencrypted data from 3.8 million individual tax filers and 700,000 businesses
in the nation's largest hacking of a state agency.
The data was extracted Sept. 13 - the last of several system intrusions
since August. Jim Etter, who resigned as revenue director at the end of last
year, has said state officials didn't learn of the breach until Oct. 10, when
the U.S. Secret Service informed state law enforcement.
The lawsuit accuses state agencies of failing to protect taxpayers and
conspiring to keep news of the hacking from the public. Hawkins later amended
his lawsuit to include Trustwave - an international technology company the
state has used since 2005 - and the state information technology agency, saying
both entities didn't safeguard taxpayers' information.
Trustwave attorney Jimmy Long said his client isn't part of South Carolina's
government and couldn't have engaged in any conspiracy. Bobby Stepp, an
attorney for the information technology agency, said his client was basically
only a "landlord" for the Revenue Department's servers, which it
doesn't own or maintain.
"We don't really think we're a player here," Stepp said. "We
have no ability to control what goes on within those servers."
Butch Bowers, a lawyer for Haley's office and the Revenue Department, said
Hawkins' claims should be dismissed because he couldn't show that any taxpayers
had so far been harmed financially by the hacking.
"The state has spent in excess of $12 million to remedy any prospective
harm," Bowers said. "The government ... has stood up and said: Look,
this happened. We're going to do everything in our power to ensure that the
citizens of South Carolina are protected."
The Revenue Department has been approved for a $20 million loan from the
state's insurance reserve fund to pay for the government's hacking response.
The largest chunk of that - $12 million - has been paid to the credit bureau
Experian, which is providing a year's worth of state-funded credit monitoring
to any taxpayers who sign up by the end of March. A state lawmaker has also
proposed extending that state-paid credit monitoring to a decade.
Attorneys for the state say Hawkins' lawsuit should be halted while law
enforcement continues its criminal investigation. Cooper didn't say when he
would rule on the dismissal motions but gave all attorneys 10 days to submit
proposed orders.
Hawkins is also seeking class-action status for the lawsuit, saying he hopes
to represent all taxpayers whose Social Security numbers and credit card
information was compromised.
State law limits the liability of public agencies in negligence cases to
$600,000 per occurrence. That means if a judge considered the hacking to have
been a single event, and, millions sued the state and won, their takeaway would
be pennies apiece.
Hawkins argues his case is covered by a separate law that provides a fine of
up to $1,000 for each resident whose information is breached. Whatever a judge
decides on that front, the liability limit does not apply to private companies
like Trustwave.
Copyright 2013 WIS. All rights reserved.
Governor Nikki Haley and Former SCDOR Director Jim Etter speak to the media in the days after the hacking incident became public.
