COLUMBIA — South Carolina’s tab for handling the hacking of millions of taxpayers’ personal data is approaching $20 million, and officials are giving no indications of how they’ll pay for it 11 weeks after the theft.
Gov. Nikki Haley’s office declined last week to offer a proposal for paying for contracts she and Revenue Director Jim Etter entered in the wake of the nation’s largest hacking of a state agency.
Haley spokesman Rob Godfrey said the Republican governor is consulting with the chairmen of the House and Senate budget-writing committees, who sit with her on a budget oversight board.
“As soon as we come to a consensus, we’ll make the public aware,” Godfrey said Friday.
The Legislature returns to Columbia on Jan. 8.
In mid-September, a cyber thief took the unencrypted tax records of 3.8 million individual filers and 700,000 businesses. After the U.S. Secret Service alerted state officials to the breach Oct. 10, Haley’s administration hired computer forensic experts, a legal team, a public relations firm and a credit bureau.
The state owes the largest single amount, $12 million, to Experian. The first half of that is due Dec. 15. The rest must be paid by Jan. 31. The cost includes a year of credit monitoring for taxpayers who sign up by Jan. 31 and, for parents who enroll in a separate service, their under-18 children as well.
Asked how Experian would be paid, Etter told a Senate panel Wednesday: “This is yet to be determined.”
Possibilities include asking the Budget and Control Board for permission to run a deficit for the fiscal year that ends June 30. It’s an option that won’t sit well with many legislators, who railed against the practice during former Gov. Mark Sanford’s tenure. The five-member budget oversight board, which Haley chairs as governor, next meets Dec. 12.
When she took office in January 2011, three Cabinet agencies were projecting deficits totaling $265 million. The budget board ended up bailing out $228 million of the Medicaid deficit through state surpluses or reserves.
But Haley made clear then she would end the practice.
Sen. Kevin Bryant, who’s leading the Senate panel looking into the mess, said he might be OK with Revenue running a deficit in this situation.
“I would be open to it, not happy about it,” said Bryant, R-Anderson. “This is a technological hurricane, a disaster.”
Other senators say absolutely not.
Sen. Vincent Sheheen, D-Camden, said it’s the Legislature’s job to appropriate money, not the governor’s. Both he and Republican Sen. Shane Massey, R-Edgefield, said legislators should tackle the issue soon after they return.
Massey said a supplemental budget bill could use reserves to pay the bills.
“I understand she had to do something, but there’s got to be some communication to figure out how we’re going to pay for it,” he said. “It’s something the Legislature ought to debate, and pass, rather than just having an unaccountable Budget and Control Board recognize a deficit.”
Revenue spokeswoman Samantha Cheek said Friday the agency has the money to pay Experian the first $6 million chunk due in two weeks, but the amount must be replenished for the agency to keep operating.
Besides Experian, the state expects to pay public relations firm Chernoff Newman about $160,000. As for the legal firm Nelson Mullins Riley & Scarborough, an internal email dated Oct. 28 puts a rough estimate at $100,000. But those costs are yet to be determined, Cheek said.
The agency is still finalizing a contract to notify the affected 3.8 million taxpayers by mail or email. The agency earlier expected notices to cost $741,000, but that was based solely on mailings to roughly 1.3 million taxpayers living outside South Carolina.
Cheek said Revenue has received its first bill of $300,000 from Mandiant, the computer security firm hired Oct. 12 to close the breach, determine what happened and recommend ways to better secure data. A Mandiant director told senators the total due will be $700,000.
The total cost of implementing its recommendations is not yet known, but two key security measures are under way.
Mandiant’s Marshall Heilman said the hacking could have been prevented with an additional step for people logging into the system remotely and, had the data been encrypted, the hacker could not have used it and would have moved on.
Revenue is going back and encrypting all data stored in the system, expected to cost $5 million, Cheek said.
That estimate has not changed since 2006, when agency administrators considered encrypting data as part of a computer upgrade but considered it cost-ineffective, according to Etter’s testimony.
Revenue is also buying devices that provide a second, temporary password for people accessing the system outside of work. Buying the tokens for the necessary 250 people will cost less than $25,000, Etter told senators.
“It’s a very inexpensive tool,” he said.