COLUMBIA, SC — South Carolinas top lawmakers agreed Thursday that legislation is needed to offer income tax credits for taxpayers who have to pay for fraud monitoring and to standardize the governments fractured computer operations.
They also want an independent audit of the S.C. Department of Revenue after hackers stole financial information belonging to 6.4 million consumers and businesses from the agency.
Gov. Nikki Haleys office said her administration will work with lawmakers on ways to further protect and compensate affected taxpayers.
The governor also has no objections to a review by the independent Legislative Audit Council, though her office noted the S.C. inspector general and Mandiant, a computer security firm hired after the breach, are conducting audits.
Plans for legislative solutions to aid taxpayers and an audit were made public at a State House news conference Thursday held by a pair of top Democrats, state Sen. Vincent Sheheen of Camden and state Rep. James Smith of Columbia. The Democrats also called for creating a state fund to reimburse taxpayers hurt by the hacking.
When you have an incompetent government, you get incompetent results, Sheheen said.
State Rep. Leon Stavrinakis, D-Charleston, held a separate news conference in North Charleston on Thursday calling for an audit, saying his constituents have little confidence their tax returns are safe at the Revenue Department.
The Democrats proposals were backed by the State Houses two top leaders, a pair of Republicans House Speaker Bobby Harrell of Charleston, and Senate President Pro Tempore John Courson of Columbia.
Harrell said Republicans have been discussing such solutions since the breach was revealed a month ago. This is a bipartisan issue.
However, Courson and Harrell said they want to know more about the potential cost before backing a state fund to pay hacking victims.
Harrell said he plans next week to establish a special cyber-attack committee, like the one appointed by the state Senate that held its first hearing Wednesday.
At that hearing, senators learned a $25,000 dual-password protection program likely would have thwarted the hackers. The agency should have been using dual passwords before the breach to follow Internal Revenue Service requirements on handling federal tax data.
While saying the state could have done more, Haley has blamed IRS regulations, in part, for the hacking because they do not require encrypting taxpayer data housed in servers. The IRS requires encryption when data is transmitted.
The state chose to follow the IRS rules when deciding not to spend $5 million on encrypting data in 2006, so the state tax data hackers swiped was unencrypted. The governor has asked the IRS to revise its rules.
Smith and Sheheen said the breach is Haleys responsibility because it happened at an agency she directly oversees as part of her Cabinet. Revenue Department director Jim Etter is resigning at years end.
I find it laughable that our government is blaming the federal government for their own inadequacies and incompetencies, said Sheheen, who ran unsuccessfully against Haley for governor in 2010.
Haleys spokesman Rob Godfrey said Sheheen was grandstanding. He has never uttered the word cyber-security until this hacking incident.
All three Democrats who held news conferences Thursday are potential challengers to Haley in the 2014 governors race.
South Carolina has spent more than $14 million on breach repair thus far, including $12 million for Experian to offer a free year of credit-fraud monitoring for anyone whose information was stolen. After a year, taxpayers will have to decide whether to keep the service, which costs $160 to $240 a year.
Sheheen floated plans for a tax credit for credit-protection services that would last at least five years.
Republican leaders said they want to look at how much the tax credit might cost but agree with the concept. We really ought to do this for the taxpayers, Courson said.
Haley and many lawmakers agree the hacking shows that state agencies should no longer run their computer operations independently.
The Revenue Department did not fully use a free network-monitoring system offered by the states information technology division and chose to hire a private company that checked computer safeguards every quarter for almost all of its seven-year contract.
When you talk to experts in the field ... theyre laughing at what occurred because it is such an utter failure of providing the very basic, minimum protection, Smith said.
Harrell said he wants to keep open all options for standardizing computer administration, including possibly hiring a private firm to establish security rules and manage state agencies computer systems.
They could bring some expertise in, he said.