COLUMBIA, SC — South Carolina should know by May 1 how to tackle some of its most severe cybersecurity shortcomings and how much the fix might cost, state officials told lawmakers Wednesday.
The game plan would come more than six months after hackers stole personal financial information belonging to 6.4 million consumers and businesses from the S.C. Department of Revenue.
In the meantime, S.C. officials have given state agencies 11 short-term guidelines for protecting data, including changing passwords more frequently.
The agencies are not required to enact the guidelines, though they have complied, Jimmy Earley, director of the Division of State Information Technology, told a Senate special committee investigating the breach.
State agencies run their own computer systems. Many lawmakers and Gov. Nikki Haley want state computer security centralized while allowing agencies to maintain their computer networks.
But large-scale solutions remain months away.
The state put out bids Friday for a security consulting contract and expects to sign a three-year contract by early March, S.C. Budget and Control Board director Marcia Adams told the committee. No estimated contract costs were released.
South Carolina will have the consultant examine three different state agencies over two months to find trends in security problems, Adams said. The firm will provide estimates to make the repairs statewide on May 1.
Lawmakers will decide whether to spend the money to make the fixes.
The state already has spent $20 million in to repair breach damage – including $12 million to offer a year of credit monitoring to affected taxpayers. At least another $16 million in breach-related computer technology costs were part of the governor’s executive budget.
The consultant will have the rest of the contract to examine other agencies and develop a statewide plans for best cyber-security practices, Adams said.