Bank Didn't Set Up Mechanism for Victims to Report Misuse of Breached Data: Suit

In an amended March 28 8-K filing, SouthState disclosed it detected a “cybersecurity incident” Feb. 6. The bank “initiated its incident response and business continuity protocols,” began taking measures to “disrupt the unauthorized activity” and has been conducting an investigation, it said.

SouthState hired a cybersecurity firm and notified banking regulators and law enforcement, the SEC filing said. As a result of those measures, “SouthState has contained the impact of the cybersecurity incident,” and “will mail notification letters to individuals whose personal information may have been involved,” it said.

King’s complaint noted an “untitled letter” that the bank began sending out to customers March 29, informing them it detected and took measures to address “an incident that involved unauthorized access to our network.” The cybersecurity firm engaged to investigate the breach determined there was “unauthorized access to certain folders in our network on February 7, 2024,” said the complaint. The bank “received the files in those folders, and on March 13 … determined that one or more files contained your name, financial account number, and Social Security number,” the letter said.

Omitted from the notice letter were the identity of the hackers, the date and root cause of the breach, the vulnerabilities exploited and measures taken to ensure such a breach doesn’t occur again, said the complaint. The notice letter failed to say whether the bank took efforts to contact class members whose PII was accessed in the breach to inquire whether any of them “suffered misuse of their data” or whether SouthState “was interested in hearing about misuse of their data or set up a mechanism for Class Members to report misuse of their data,” it said.

SouthState had obligations under the FTC Act, Gramm-Leach-Bliley Act, contract, common law and industry standards to keep King’s and class member’s PII confidential, the complaint said. But the defendant didn’t use reasonable security procedures and practices appropriate to the nature of the sensitive information they were maintaining for them, such as encrypting the information “or deleting it when it is no longer needed,” it said. King believes his and class members' PII was sold on the dark web after the breach.

The bank’s notice letter offers 12 months of identity monitoring service, which is “wholly inadequate to compensate” data breach victims, who face “multiple years” of ongoing identity theft and financial fraud, the complaint said. The offer of identity monitoring “establishes” that King’s and class members’ “sensitive PII was in fact affected, accessed, compromised and exfiltrated,” from SouthState’s computer systems, it said.

Among the actual injuries King and class members have suffered as a result of the data breach are invasion of privacy, theft of their PII, lost or diminished value of their PII, and lost time and opportunity costs associated with mitigating the breach, said the complaint.

King claims negligence, negligence per se, breach of implied contract, breach of fiduciary duty and unjust enrichment. He seeks injunctive relief enjoining SouthState from engaging in the wrongful conduct described and requiring it to implement and maintain a comprehensive information security program. He also seeks an award of actual, nominal, statutory, consequential and punitive damages; attorneys’ fees and costs; and prejudgment interest.