The Times and Democrat of Orangeburg on DOR hacking investigation:
Gov. Nikki Haley’s administration will not publicly release a previously undisclosed, more detailed report on how a hacker breached the S.C. Department of Revenue, affecting sensitive information for millions of taxpayers.
State lawmakers reached by the Post and Courier of Charleston said they were never informed of the existence of the report by the administration. Those legislators and an attorney for the South Carolina Press Association said the report, or at least most of it, needs to be released to the public.
Press Association attorney Jay Bender, an expert on the state’s Freedom of Information Act, said the law does not allow the Revenue Department to not release the report at all.
He said the agency can redact sensitive information on security but must release the rest of the report. ...
The report is being produced by Mandiant, the cyber security firm the state is paying $700,000 to investigate the breach.
The report is “confidential,” and the shorter version released to the public last month “included every piece of information Mandiant determined would not create new or further security risks,” said Samantha Cheek, a spokeswoman for the Revenue Department.
After the Post and Courier began asking questions about the report, Haley spokesman Rob Godfrey said the administration will make the full report available to lawmakers and constitutional officers on request. But Godfrey said that heeding the advice of Mandiant, the report will not be publicly released.
So again, the public does not get information it should be receiving. At very least, the Revenue Department should provide a detailed explanation for why it is withholding the report.
Maybe there is hope for answers from the Legislature. House Speaker Bobby Harrell appointed a panel of Republicans and Democrats to find answers and make legislative recommendations.
The committee will be charged with issuing “a full public report” to the General Assembly detailing the breakdown in agency security measures that allowed this cyber data hacking to occur. The committee shall have the ability to request any necessary information, interview experts and take witnesses’ testimony to uncover exactly how the infiltration occurred and to determine whether proper security measures were followed. The committee’s report also shall include recommendations for any legislative or agency procedural changes necessary to ensure that our businesses’ and citizens’ personal information is better safeguarded from future cyber assaults.
We’ll be around to remind lawmakers of the promise for a full public accounting.
Notice about comments: