Nearly 18 months after hackers stole financial information belonging to 6.4 million S.C. taxpayers and businesses, state agencies still have no consistent plan for securing data, officials told a state Senate hearing Tuesday.
In response, some senators said they want to make cyber-security mandatory for state agencies.
“It’s a difficult process that’s probably not moving as quickly as we would like,” Sen. Joel Lourie, D-Richland, said after a Finance Committee hearing.
Sen. Kevin Bryant, R-Anderson, said agencies either should use standards set by the State Budget and Control Board, which oversees government operations, or show proof they have adopted accepted security practices. He said he was surprised there had not been another major data breach at a state agency since hackers managed to steal tax data from the Department of Revenue.
After the nation’s worst breach at a state agency, the budget board offered all departments cyber-security measures – including dual-password programs and laptop encryption – at no cost. This was in addition to computer network monitoring the budget board already offered.
The budget board received $10.9 million in additional state taxpayer money this year to buy new technology and build up its division of information security. The board wants another $20.7 million for the same purposes next year.
The S.C. Department of Revenue received more than $20 million in additional state money last year after the breach, including $12 million to pay a firm to provide credit monitoring for victims. Another $10 million was set aside for monitoring this year.
Various state agencies also have received money for security upgrades since the hacking.
But technology security remains decentralized among state agencies.
Those agencies are not required to use the state’s services, Budget and Control Board director Marcia Adams told senators on Tuesday. She said she did not know how many agencies were taking advantage of the budget office’s security offerings.
“Right now, we don’t have an audit capacity or an assessment capacity so we don’t know if” agencies are following statewide policies, Adams said.
Kyle Herron, the new head of the state division of technology, said his office still is gathering information about cyber-security measures from agencies. “There’s a lot of unknowns at this point,” he said.
Herron said cyber security across the state has improved since the fall 2012 breach. But, he added, “It’s very hard to quantify a specific number to say what that is.”
South Carolina government is playing catch up, a consultant told senators. Cyber security has not been a priority for many state agencies because money has been tight because of the recent economic downturn, said Mike Wyatt, security and privacy director for Deloitte Consultants, which received a $3 million contract last year to address the state’s cyber-security needs.
“The core mission of the agencies takes the bulk of (their) funding,” Wyatt said.
Deloitte has suggested the state adopt a centralized security operation that agencies must follow.
Reach Cope at (803) 771-8657. Reach Shain at 771-8619.