COLUMBIA — South Carolina may spend $27 million next fiscal year on continued efforts to secure taxpayers’ personal data and provide another year of credit protection following the 2012 hacking at the state’s tax-collection agency.
The state budget may also require all state agencies to adopt cyber-security standards that are consistent across state government, to guard against another debacle. Nineteen months after a cyber-thief stole unencrypted data of 6.4 million residents and businesses from the Department of Revenue, it’s unclear how many agencies are adequately safeguarding their own data.
“We have no way of knowing if agencies are complying,” said Marcia Adams, director of the Budget and Control Board.
Nothing in state law gives its information technology division the authority to assess agencies’ progress or make policies mandatory, she said at a recent Cabinet meeting.
A clause in the House’s budget plan for 2014-15 would provide that authority. The Senate Finance Committee last week put a similar clause in the budget plan it’s crafting for the fiscal year that starts July 1. The Senate will debate its budget plan next month.
S.C. Gov. Nikki Haley said she believes the mandate is essential. She has required her Cabinet agencies, which include the Department of Revenue, to collaborate with the board’s IT division since November 2012, a month after she announced what was the nation’s largest hacking of a state agency.
“There is no excuse for any agency to not have IT protection at the very top of their list,” Haley said. “To not have learned the lesson from the Department of Revenue would be a huge mistake.”
Currently, each agency is responsible for its own security infrastructure.
Senate Finance Chairman Hugh Leatherman, R-Florence, said that needs to change, to both improve security and lower costs by eliminating duplication.
“State government spends a ton of money on IT equipment, and right now each agency is out there doing its own thing,” he said.
Legislators gave the board $11 million in the current fiscal year to start implementing cybersecurity steps recommended by Deloitte & Touche, which was hired last March to review agencies’ technology systems.
The newly structured IT division offers, at no cost to agencies, network monitoring and security solutions such as laptop encryption and an extra log-in step for accessing laptops remotely – a step consultants determined would have prevented the hacking. It has started issuing policies, assessed at least 10 agencies and offered a self-assessment tool for others. Security awareness training for all state employees began in February.
The Budget and Control Board is seeking $20.7 million next fiscal year for round two of the recommendations. That includes $5.7 million in operating money for the 21-person information security division and three-person privacy office, which is tasked with determining what data needs protected. The board’s seeking an additional $6.1 million to maintain and expand the division’s services. It’s also seeking $8.7 million in one-time money – $4 million more than given this year – for computer upgrades and more data protection capabilities.
The House budget plan, passed last month, funds the request.
It also includes $6.5 million for a third year of state-paid credit monitoring services for taxpayers affected by the hacking. It would mark the second year of the state’s contract with Texas-based CSIdentity Corp., awarded last September. The state is spending $8.5 million on that contract this year.
The state’s initial, $12 million contract – which Haley negotiated on an emergency basis – was with credit bureau giant Experian. That was the single largest expense among $20 million worth of contracts Haley approved in the hacking’s aftermath.
The hacker accessed tax forms filed online between 1998 and 2012 to steal data on 3.8 million adults, 1.9 million of their dependents and 700,000 businesses.
As of Friday, just 211,044 people and 2,195 businesses – 3 percent of those eligible – had enrolled in CSID’s state-paid services. Eleven percent of the people live outside South Carolina and about 9 percent are children signed up by their parents, according to the Department of Revenue.
Enrollment started last October, days before taxpayers’ one year of monitoring through Experian began expiring. Nearly 1.5 million people signed up for that credit-monitoring service.
It’s unclear whether anyone has become an identity theft victim because of the hacking. No one has been arrested in the case.
Eighty-six people have sought CSID’s identity restoration services that are part of the state’s contract: 62 are still being helped; 24 cases are closed after the victims’ credit and records were corrected, said CSID spokesman Bryan Hjelm.
But how those people’s data was exposed is unknown.