COLUMBIA, SC — Gov. Nikki Haley told her cabinet agency directors they need to do more to stop the biggest threat to data security they face – themselves.
In a cabinet meeting Tuesday morning, the first-term Republican governor held up the revamped Department of Revenue as an example all other agencies should follow to secure the personal information they store for South Carolina’s 4.7 million residents.
Just 10 months ago, an international hacker stole the personal information of more than 6 million consumers, affecting anyone who has filed a state tax return online since 1998. Since then, the department has a new director – Bill Blume, formerly the state’s retirement systems director – and a new way of thinking about data security.
“(Others) look at technology first. We look at culture first and people first,” Blume said.
That’s why Blume said he has made security the top priority for all of the agency’s 800 employees. Employees spent more than 4,000 hours on security education between February and July. Blume has hired a chief security officer, someone who reports directly to him instead of reporting through the agency’s technology director. And Blume has cut off access to the department computer system to anyone that does not work for the agency – a decision that has frustrated some local governments used to unfettered access to the Department of Revenue’s information.
“Today’s attack vector is employees and computers,” said Jimmy Earley, director of the Division of State Information Technology. “Hackers aren’t beating on the servers and firewalls, they are trying to get into your network by compromising one of your work stations, or fooling one of your employees into doing something – clicking on a link or going to a site they shouldn’t visit.”
Haley ordered her cabinet agency directors to adopt the same model, telling them “If you don’t have top of the line, key IT and security people, get rid of them.”
Some agency directors balked at the plan, including Kevin Shwedo, the director of the Department of Motor Vehicles, who said “I don’t want to think about what would happen” if he cut off SLED’s access to DMV’s computer system.
“There are times in state organizations when I need to share data with other state organizations because that’s part of my core mission. So I can’t shut it down. I can’t draw a firewall,” he said.
But Haley was not moved by similar arguments from local governments that she said complained about being cut off from the Department of Revenue’s system.
“We can’t say we are going to be a state that cares about security and at the first sign of inconvenience we stop that. ... we are not going to compromise security for convenience, no mater what anyone says, no matter who they say should have access,” she said. “They are going to get their information, but not able to jump into Bill’s system to get it. Is it going to take a little time and effort? Yes, but we are not going to do that anymore.”
Haley’s cabinet meeting comes less than a week before she formally announces her reelection plans in Greenville. Her likely Democratic opponent, Sen. Vincent Sheheen, has made the data breach a central part of his campaign. In January, on the first day of the legislative session, he introduced a resolution that would formally apologize to the people of South Carolina, saying that someone should apologize because Haley has not. And he put $400,000 in the state budget to reimburse people if they could prove they lost money because of the data breach.
Sheheen has criticized the governor for keeping a report on what caused the breach secret. Haley’s office has referred all questions of that investigation to the U.S. Secret Service and the State Law Enforcement Division.
“The Haley administration’s handling of the DOR hacking scandal has obviously been a disaster,” Sheheen said in a statement distributed by his campaign. “Fundamentally, we have an administration that operates in secret. For whatever reason, the governor’s first instinct is to keep things from the public.”
Last month, the Budget and Control Board – where Haley is the chairwoman – opened the bidding process on a contract worth up to $10 million to provide identity theft security to people affected by the data breach. The contract includes identity-theft insurance to every taxpayer to cover "identity-restoration costs, losses due to identity theft, lost wages and legal fees and expenses" of up to $1 million.
Asked if she felt the voters were holding her responsible for the data breach, Haley said she doesn’t “think like that.”
“I think they want to know what’s being done,” Haley said after the meeting. “After seeing what happened in that breach, it was my responsibility to say what has not been done, what can be done and how do we improve it going forward. My hope is, going forward, we do more than enough to make sure the citizens of this state are protected.”
Reach Beam at (803) 386-7038.