COLUMBIA — Securing confidential information is now a nonnegotiable requirement at South Carolina’s Department of Revenue following the theft of millions of taxpayers’ personal data, the interim director told lawmakers Tuesday.
Bill Blume told a Senate panel investigating the mid-September theft of millions of taxpayers’ personal data that the agency will spend $21.7 million, or $1.5 million beyond last month’s expected response cost, but said he was not asking legislators to provide the difference.
“We’re going to have to do whatever we can to come up with that $1.5 million,” Blume said.
Blume, who took the agency’s helm two weeks ago, said another important change he has made is to require the top information-security officer to report directly to him.
Former IT security officer Scott Shealy testified earlier that recommendations he made that could have prevented the theft were dismissed as unnecessary and never reached senior management. Blume told senators that adequately securing data is now a nonnegotiable requirement, as Shealy – sitting in the audience – vigorously nodded his head “yes.”
“Security is considered a cost of doing business, not a discretionary budget item,” Blume said.
Clearly, he said, that was not the agency’s previous approach.
“That’s strong language, and we appreciate your commitment,” said Sen. Kevin Bryant, R-Anderson, the panel’s chairman.
In December, the Budget and Control Board approved loaning Revenue $20.2 million from insurance reserves to cover the cost of contracts signed by Gov. Nikki Haley and former Director Jim Etter after they learned of the hacking in October. The largest contract, of $12 million, covered a year of credit monitoring by Experian for taxpayers who signed up. Other costs included a legal team and public relations firm, as well as computer-security experts and the cost of implementing their advice.
The cost above the $20.2 million includes an additional $90,000 to Mandiant, the computer-security firm hired to plug the security hole, determine what happened and make recommendations. The two additional months of protection from Mandiant brings its contract to $840,000.
The rest of the $1.5 million comes from adding two people to the agency’s information-security team, and paying EMC $1.2 million to provide system backup in the event of a disaster.
Blume said the agency is hiring top-notch IT security experts. Etter has said that Shealy’s position went unfilled for nearly a year because the agency couldn’t find someone to take the job.
Revenue also signed a contract Tuesday with EMC to encrypt its stored data, at a cost of $3.8 million. The necessary equipment should arrive next week, and the encryption job should then take 13 weeks, Blume said.
Information stolen by the hacker included unencrypted Social Security and bank account numbers of millions of residents and businesses, from tax filings dating to 1998. The agency could have prevented the theft if it had encrypted stored data or required more than one password for users accessing the system remotely, according to Mandiant.
Shealy, who left the agency in September 2011, testified he recommended installing self-encrypting drives on laptops and desktops, at a cost of $70,000, as well as a fingerprint confirmation for remote-access users. The laptops already came with the fingerprint capability but additional software was required to make it work, he said.
“It was not a priority,” he said, reiterating what he told a House panel earlier this month. “The CIO controlled the money. If he felt it was not a priority, there wouldn’t be funding.”
That former chief information officer resigned in September for reasons agency officials have called unrelated to the hacking.
The dual-access authentication on laptops should be installed by month’s end, at a cost of $37,000, according to the agency.
Blume said he doesn’t expect pushback from employees on his requirement of a cultural shift, though he notes that anyone who does won’t remain.
“I think it’s embarrassing for us to have this situation,” he said. “Everyone I’ve talked to is willing to change.”