Itís been 19 months since hackers stole unencrypted data of 6.4 million South Carolina residents and businesses from the Department of Revenue.
The state is left with more questions than answers. No one has been arrested in the case. Itís impossible to say how many, if any, people and merchants became identity theft victims because of the hacking. And most disturbing, itís unclear just what the various state agencies are doing to safeguard other sensitive and confidential data from being stolen by other cyber thieves.
The situation leaves us all vulnerable with no way to protect our information.
Only baby steps have been taken to improve the situation. Legislators have given the Budget and Control Board $11 million this fiscal year to start implementing cyber security steps recommended by Deloitte & Touche, a firm hired after the hacking to review agenciesí technology systems. Among the offerings, agencies can now receive network monitoring, laptop encryption and an extra log-in step for accessing laptops remotely. And security awareness training for all state employees began in February.
But that isnít enough to ensure all important data across all state agencies is protected at an acceptable level. The main problem is state law is silent on who has the authority to set cyber-security policies and ensure theyíre being followed. Currently, itís left up to each state agency to develop and monitor its own security plan. No one has the authority to assess agenciesí programs or require upgrades.
Itís positive that efforts are underway to grant that power to the Budget and Control Board. Both the Houseís and the Senateís budget proposal include clauses that would allow the boardís information technology division to assess the cyber safeguards state agencies are currently using, adopt new standards and ensure the new rules are followed across the board. Already, S.C. Gov. Nikki Haley requires that her Cabinet agencies Ė the only ones that she has direct say over Ė work with the board and collaborate on safeguard measures.
The reform wonít come cheap. The Budget and Control Board is seeking nearly $21 million in next yearís budget to implement recommendations, including an IT team to determine what data needs to be protected, computer upgrades and more data protection capabilities.
This expensive endeavor is, unfortunately, what it will take to bring South Carolina up to standards. It would have been much better if it was undertaken before the cyber theft.