COLUMBIA, SC — Centralizing South Carolinas computer operations could lead to stronger, standardized security protocols in the wake of a data breach that exposed tax records of up to 4.25 million taxpayers and businesses, the states top technology officer said Thursday.
[At the end of the story: Video from Haley's Thursday Cabinet meeting and media briefing]
The best way to prevent breaches is working together, said Jimmy Earley, director of the SC Division of State Information Technology.
Most states either have centralized technology offices or technology chiefs who control computer procedures and testing, said Doug Robinson, executive director of the National Association of State Chief Information Officers.
South Carolina does not.
The SC information technology division, an arm of the State Budget and Control Board, offers sometimes at a cost a variety of technology services to state and local agencies. But no agency is required use those services, Earley said.
Agencies have their own information technology operations and many dont use services of the budget boards information technology division, including network monitoring and testing.
Among the state agencies not using those services was the SC Department of Revenue. Overseas hackers were able to use state-approved credentials to steal unencrypted tax records from the Revenue Department in September. Those records belong to as many as 3.6 million individual taxpayers and 657,000 businesses.
Soon after learning about the breach, the Revenue Department started using the state information technology divisions free network-monitoring service that can catch installation of viruses and unusually large data uploads within minutes, Earley said. The Revenue Department also started encrypting tax data.
Gov. Nikki Haley has asked Patrick Maley, the states inspector general, to work with the technology officers at state agencies to develop security standards. Haley wants to make the budget boards technology division part of a Department of Administration. Haleys proposal to create that new department, which would be under her control, failed to win approval in the Legislature this year.
Asked Thursday if the governor supported a centralized state technology office, her spokesman Rob Godfrey said, She looks forward to receiving (the inspector generals) report and then moving forward to make South Carolina state governments IT security as strong as possible.
Having standard protocols under one office whether or not a state has multiple chief technology officers is the best way to prevent data breaches, said Robinson of the national association.
You need to have someone with authority over operations, he said. When someone opens a window because, Its hot in here is when you get in trouble. You have to have everyone in agreement to keep the windows closed.
Earley worked at the SC Department of Motor Vehicles before becoming the states technology chief last year. He led efforts to encrypt Motor Vehicle data sitting in servers after the agency began to verify Social Security numbers from people trying to get drivers licenses.
If you are entrusted with sensitive data of South Carolinians, you have a responsibility to protect it, Motor Vehicles director Kevin Shwedo said.
Earley and Shwedo declined to say whether the Revenue Department should have encrypted data in its servers. Shwedo said agencies need to make security decisions based on the threats they face.
I have no insight in their operations, Earley said. Im not going to guess what they shouldnt or should do.
The state technology division works with 54 state agencies including the departments of Social Services, Mental Health, Employment and Workforce, Insurance, Natural Resources, Education, Public Safety and Corrections. The division also works with: nine cities, including Columbia and Greenville; 15 counties, including Lexington, Kershaw and Charleston; five utilities; 15 libraries; and 82 school districts.
The state technology division provides network monitoring for free with a grant from the U.S. Department of Homeland Security. Much of what the division fights are programs that would spy on what people type into computers, said Jim MacDougall, the states chief technology security officer for the past decade.
The technology group holds an annual conference each October to share cyber-security updates. About 300 people attended this years event held a day before the Secret Service told state officials about the breach at the Revenue Department.
MacDougall said he visits with every agency in the governors cabinet to pitch the divisions services. He said he also has promoted encrypting data in servers, though neither he nor Earley could recall making any special effort with the Revenue Department.
Still, the technology division helped the Revenue Department track down a virus last year that would send out spam e-mails but did not have the capability to spy on users or upload information, MacDougall said.
Since the Revenue Department data breach was announced Friday, more than 520,000 people have registered for one-year credit-report monitoring to better protect themselves from identity theft. The state will pay for that coverage, at a cost of up to $12 million.
At a cabinet meeting Thursday, Haley asked state agency leaders to deliver proposals by Tuesday on how to tell the public more about enrolling in credit monitoring.
State employees are not allowed to help people register for the monitoring because of privacy issues, said Thad Westbrook, an attorney with Columbias Nelson Mullins law firm, hired by the state to examine liability issues associated with the data breach.
Agencies could link to information about the breach on the Department of Revenue website. Some challenges exist, such as enrolling the states 29,000 prison inmates.
No news about the hackers was released Thursday. Michael Williams, the Secret Services special agent in charge in South Carolina, declined to discuss the investigation of the hacking, which his agency is leading.
SC Governor Nikki Haley Thursday Cabinet meeting
Video provided by the SC Governor's office.
SC Governor Nikki Haley Thursday media availability
Video provided by the SC Governor's office.