COLUMBIA — South Carolina is up against the deadline of some states for notifying residents when their personal data has been stolen. Still, security experts say state breach notification laws provide plenty of leeway.
Gov. Nikki Haley said this week that the state will notify the 3.8 million individual tax filers whose returns were stolen from the state Revenue Department’s computer servers. Their compromised data includes unencrypted Social Security and bank account numbers.
Her spokesman said Friday that those letters and e-mails should go out within two weeks.
“We will go above and beyond to make sure the people who this happened to know of what has happened and how they can protect themselves, and what we’re going to do to help them protect themselves,” Haley said Tuesday.
Revenue officials estimate that 1.3 million compromised filers live outside South Carolina, and many of them might have no knowledge of the hacking, first announced Oct. 26.
All but a few states have laws requiring their residents to be notified of breaches affecting them; violators can be subject to fines and lawsuits. Most states don’t specify a timeline, including South Carolina, which calls for providing notice in the “most expedient time possible and without unreasonable delay.”
However, Florida, Ohio, Vermont and Wisconsin require notification no later than 45 days after a breach is discovered. Today is 45 days since the Secret Service notified state officials of the breach – and more than 10 weeks since the data’s removal.
Even in states without a deadline, an analysis of legal language puts
45 days as a maximum. Other deadlines are interpreted as 10 to 15 days,
said Gant Redmon, a general counsel at the Massachusetts-based breach management firm Co3 Systems Inc.
“I have never seen where anybody would take comfort in interpreting any of those laws as longer than 45 days,” he said.
But, he added, that’s subject to interpretation.
“Given a breach of this magnitude, I can understand why it may take a little longer to put an action plan together,” he said.
Haley’s office said the state had to wait to learn whose data was taken, and that didn’t come until Monday.
Attorney Jon Neiditz said Friday that while state officials were notified Oct. 10, they had no idea what had happened. He believes it would be more realistic to start the clock Oct. 26, after law enforcement officials allowed the breach to be announced. He said letters were sent to state attorneys general on Tuesday, disclosing the number of people affected in their states.
“All the states will feel we’ve been acting as speedily as we can, given the enormous size of the breach,” said Neiditz, an Atlanta-based partner with Nelson Mullins Riley & Scarborough, which the state hired Oct. 23. “The object is to exceed requirements as much as possible.”
A draft letter is ready to go. The revenue agency is in the process of reviewing several offers on printing and mailing the letters, Neiditz said, adding that a formal bid process is impractical.
The founder of a research firm on information security said precision is preferred and agreed that leeway exists even in states with a certain time frame.
“The key to success is, is the organization doing things to ensure accuracy in reporting and not stonewalling?” said Larry Ponemon, the chairman of the Michigan-based Ponemon Institute. “It looks like South Carolina is attempting to do all of the right things. Sometimes it’s better to be correct and surgical than rush out a notification.”
Still, he said, the notification seems slower than expected.