COLUMBIA — Taxpayer concerns about last fall’s hacking of a South Carolina state agency are expected to lead to fewer online tax filings, potentially adding several hundred thousand dollars to the debacle’s nearly $22 million price tag.
While insisting it’s safe to e-file, Department of Revenue officials are preparing for concerned taxpayers opting for the more time-consuming paper route.
“We envision we’ll have to hire part-time people with more paper files coming in,” interim Director Bill Blume said after a recent hearing before a Senate panel.
On Friday, the agency estimated needing 25 part-time workers to key in information, though spokeswoman Samantha Cheek stressed that the exact number will depend on the number of paper returns filed. She noted that 2013 processing has just begun.
Under current projections, the agency expects to spend an additional $300,000 to $400,000 on paper processing. Beyond the two dozen employees, costs include additional postage, paper and printing of correspondence, Cheek said.
“We hope to see individuals continue to choose electronic filing, as it is the most efficient for both the taxpayer and DOR,” she said.
In December, Gov. Nikki Haley’s office said all residents whose Social Security and bank account numbers were stolen should be notified by year’s end. But residents are still receiving notices.
Mailings that began going out by ZIP code in mid-December should continue through next week. For those who signed up for a year of state-paid credit monitoring by Experian, and provided an email address, email notices began Tuesday and should also wrap up next week, Cheek said.
Haley’s spokesman, Rob Godfrey, said matching the data took Experian longer than anticipated.
The cyber-thief who hacked into the agency’s computer servers last September took unencrypted data from 3.8 million individual filers and 700,000 businesses, making it the nation’s largest hacking of a state agency. But state officials have said the theft from filings dating to 1998 did not affect those who submitted paper forms through the mail.
Verenda Smith, deputy director of the Washington-based Federation of Tax Administrators, said taxpayers should not draw a connection.
“There’s no relationship between the breach of security and how people file that has any meaning for the future,” she said.
Smith said South Carolina has been a national leader in electronic tax collections in large part because the state – in the early 1990s – piloted fed/state e-filing, the filing of federal and state returns together online.
In annual reports, the Department of Revenue has touted a steady rise in the percentage of all taxes collected electronically, to 81 percent last year. As for personal income taxes specifically, South Carolina continues to be among the top 10, according to the federation.
Smith said she understands the hacking may make taxpayers hesitant but urges people to continue filing online. All of the information will go into a state computer anyway. It’s just a matter of how, she said.
“Either it goes directly from your finger as you typed it in on the keyboard, or it goes through the mail, gets ripped apart literally, and somebody has to input the data or it’s scanned in,” Smith said. “You’re introducing a lot of potential for human, mechanical errors when you file by paper.”
That could lead to notices that something’s wrong, when it’s not, creating unnecessary work for both taxpayers and agency employees, she said.
As for the hacking, Blume told legislators the agency expects to spend $21.7 million on the state’s response. The largest single amount, $12 million, had to be paid to Experian by Jan. 31. Other costs included a legal team, public relations firm, a contractor to print and mail the notices, as well as computer-security experts and the cost of implementing their advice.
Blume’s Jan. 22 estimate was $1.5 million more than is covered by an inter-agency loan approved by the Budget and Control Board in December. Blume, who took over as director last month, said the agency would somehow absorb the difference.
It includes $1.2 million for system backup and an additional $90,000 to Mandiant, the firm hired to plug the security hole, determine what happened and make recommendations. Two additional months of protection from Mandiant brings its contract to $840,000.
Of the two security measures Mandiant said would have prevented the theft, one is complete. Dual-access authentication on laptops, for people accessing the system remotely, was installed last month, at a cost of $12,000, Cheek said.
The encryption of stored data should be finished by late April. The Department of Revenue signed that $3.8 million contract Jan. 22, Blume said.