SC data breach suits point at the perils of hoarding personal information (2024)

Some businesses treat the personal information they collect like a family heirloom. They keep it forever.

It's proving to be a risky habit.

And it now appears a big regional bank with far-reaching roots in South Carolina is among the hoarders of financially delicate details about current and even past customers.

SouthState Corp. is facing a new lawsuit filed in federal court in Charleston that's seeking class-action status over a data breach that was discovered and disclosed more than two months ago.

Christopher Hart, who lodged his complaint at the Four Corners of Law on April 12, was among thousands who recently received a notice alerting them that they're potential victims of an online heist that targeted "certain folders" on the company's network.

"We reviewed the files in these folders and on March 13 ... determined that one or more files contained your name, financial account number and Social Security number," SouthState said in the widely distributed form letter.

Hart was likely surprised by the mailing. His account was closed in 2014.

"Thus, SouthState Bank has retained his private information for nearly a decade longer than needed," his lawsuit alleged.

It's an issue that's cropping up more and more — despite a key rule of thumb from the Federal Trade Commission, which last fall required financial institutions to report breaches of unencrypted data in their possession.

"Securely dispose of customer information no later than two years after your most recent use of it to serve the customer," according to the agency's recommendations.

The FTC added that the exceptions to its guidelines can include a legitimate business need or a legal requirement to keep the data — or if purging it isn’t feasible because of how it's being stored.

In Columbia, lawmakers filed a bill earlier this year that would set rules for businesses that are storing consumer information. The "technology transparency" legislation was then kicked over to the S.C. House Judiciary Committee for review.

Privacy advocates and cybersecurity experts for years have stressed that "data minimization" is the most foolproof defense against hackers.

“You collect this sensitive information: What do you do afterwards if you don’t need it for another purpose? You delete it, because if it’s deleted it can’t be breached," Jessica Rich, a former director of the FTC’s Bureau of Consumer Protection, said in a reportpublished in November by Fast Company.

A Charleston tech company learned a harsh lesson about the merits of ditching old information about customers after a costly 2020 network invasion that's still being litigated in federal court. In settling its complaint against Blackbaud Inc. earlier this year, the FTC said it found "reckless security retention practices" cost the Daniel Island company more money — and unnecessarily exposed information about ex-clients — "by hoarding reams of data that it did not reasonably need."

SouthState declined to comment on its breach last week, citing the newly filed litigation. In addition to the Charleston complaint, about 10 other similar cases have been added to the court docket this month in Florida, where the bank's parent company is headquartered.

Most of the lawsuits expressed concerns about the data being marketed for sale on the "dark web" to identity-theft scammers who could use it to take out loans under a victim's name or for other nefarious financial purposes.

"Such fraud may go undetected until debt collection calls commence months, or even years, later," according to a lawsuit Blythewood resident Latonya Gore filed over the SouthState breach.

The publicly traded bank said in filings with investors and stock-market regulatorsthat it detected "unauthorized access" to its network around Feb. 6 and reported it to government authorities, as required, and to law enforcement.

"The company is conducting a thorough investigation and a cybersecurity firm has been engaged," SouthState said.

In an update last month, the bank said the breach had "a significant impact on certain" operations but that it had "contained the impact." It also determined that it needed to alert anyone whose data was possibly stolen.

SouthState hasn't disclosed how many accounts were compromised or other details about its investigation. It said it's taking steps to strengthen its data security network.

Based in Columbia until 2020, SouthState is among the largest banks in the Palmetto State, where its origins reach back to a pair of lenders formed during the Great Depression in Charleston and Orangeburg. About 80 of its roughly 250 branches are in South Carolina.

In its notification letter, the bank offered affected current and former customers a free one-year membership with an ID-theft prevention service. One of the complaints described that as "wholly inadequate."

All of the lawsuits are seeking additional compensation, including restitution, interest, unspecified financial damages and money for legal expenses.