The news that no bidders met the requirements for a new credit monitoring contract for South Carolina residents and businesses whose identifying information was stolen is troubling.
But even more troubling is the idea that revised terms of the contract could offer less protection than previously contemplated. The state should do all it can to ensure our identifying personal information and credit records are protected from further harm. After all, we were required to give critical personal information to the state, and it was stolen due to the actions (and inactions) of state Department of Revenue employees.
Last year, hackers stole the Social Security, bank account and credit card numbers of more than 6 million individuals and businesses contained in income tax filings in Department of Revenue computers. The department had failed to use basic security measures, including encrypting data and a multi-layered password system. The agency also had left its computer security officer’s position vacant for a year before the breach; its last security officer told lawmakers he thought the agency hadn’t made security a priority.
The state Budget and Control Board last week revised its request for proposals after three bids for a $10 million contract failed to meet the state’s requirements.
The new contract would replace a $12 million, one-year contract that expires at the end of October.
The new contract requires change-of-address monitoring, payday-loan monitoring and “Internet surveillance,” including “scanning black market or underground websites” to detect fraudulent activity, The State newspaper reports. It also would give taxpayers identity-theft insurance to cover “identity-restoration costs, losses due to identity theft, lost wages and legal fees and expenses” of up to $1 million.
State officials wouldn’t discuss how the bids fell short, but the revised request for proposals requires the winning company to monitor only one major credit bureau rather than all three major credit bureaus, the newspaper reports. The request also asks for a proposal on how much more it would cost to monitor all three bureaus.
The state is seeking a five-year contract, renewable every year. Lawmakers allocated $10 million for the first year.
If $10 million isn’t enough to provide the credit monitoring services residents and businesses should get, especially given the scale of this security breach, then more money should be found for the contract.
The thieves got names, birth dates, addresses and Social Security numbers, all the information they need to steal our identities and wreak havoc with our credit for years to come. The state owes us the best protection possible.
And there should be no lapse in that protection. The new round of bids are due Oct. 3, leaving less than a month to get a new contract in place before the old one expires.
This must become a top priority.