House and Senate leaders of both parties say cyber security will be a top priority for the 2013 legislative session, as they delve into the computer theft last September of millions of residents’ and businesses’ tax filings with the Department of Revenue.
Legislators acknowledged Thursday having no idea what needs to happen or what it will cost, but they pledged to find the money to better protect taxpayers’ personal information. They want consultants to evaluate agencies’ systems and make recommendations.
“Whatever the cost is, that’s what we’re going to pay,” Senate Majority Leader Harvey Peeler, R-Gaffney, said at a legislative workshop. “If government requires us to give our information, it’s government’s responsibility to protect it.”
Legislators noted several key preventive steps – such as training employees not to click on random e-mails and developing protocol for what to do when malicious e-mails are detected – will cost little to nothing.
Legislators also promised to debate what’s been spent so far.
In her 2013-14 executive budget, Gov. Nikki Haley recommends spending more than $40 million on agencies’ computer systems and security. That includes $20.2 million to repay a loan the revenue agency received to cover contracts she and former Revenue Director Jim Etter signed after learning of the breach in October. The Budget and Control Board, which Haley heads, approved the loan last month from insurance reserves, days before a $6 million payment to credit bureau Experian was due.
The remainder of that $12 million contract must be paid in full by month’s end.
Sens. Vincent Sheheen, D-Camden, and Shane Massey, R-Edgefield, contend the Legislature should have been called back to debate those contracts and how to pay for them, because appropriating money is a legislative function. Massey notes the Senate was actually in Columbia for an organizational session the day the five-member financial board approved the loan.
Other legislators question the worthiness of the Experian contract, which covers a year of credit monitoring for any South Carolina taxpayer who signs up, plus over-the-phone help for identity theft victims.
Some legislators say taxpayers deserve extended, state-paid monitoring.
“This is going to be a lifetime issue for everyone,” said Sen. Kevin Bryant, R-Anderson, who leads the Senate panel looking into the hacking. “The infant on a parent’s tax return may live to be 90 years old.”
But he scoffs at Experian’s offer for a second year of monitoring for $10 million, saying the state’s providing Experian hundreds of thousands of new customers buying additional services. For example, the contract covers only a single free Experian credit report. Any credit score or additional reports cost extra.
Rep. Mandy Powers Norell said the service is being incorrectly portrayed as protecting taxpayers’ credit. The service alerts customers to accounts newly opened in their name. It doesn’t prevent or stop it, nor does it detect all forms of identity theft.
“We call it security. But it’s not security; it’s credit monitoring,” said Powers Norell, a bankruptcy attorney. “That monitoring is after-the-fact.”
She believes the money would be better spent elsewhere, and that the state is paying for services largely available for free. Federal law allows residents to place fraud alerts on their credit and receive free credit reports, while state law allows people to freeze their credit at no cost.
“There’s nothing we can do now about the fact their Social Security numbers are out there, their bank account routing numbers are out there. … We need to let them know about the rights they have under federal law,” said Powers Norell, D-Lancaster.
Legislators appear to agree with Haley’s request to hire computer security consultants. Haley designated $3 million for that in her budget proposal.
“This consulting money is probably going to be the most important money we spend this year, because we’re not experts in forensics or data breaches,” Haley said in releasing her budget proposal.
Haley’s budget also recommends spending $12.4 million to finish upgrading the Revenue Department’s computer system and $1.2 million on cybersecurity at the Department of Motor Vehicles, which includes money for data encryption and software updates.