The new head of the state agency hit last year by a massive computer hacking attack said Tuesday that he has changed the state Department of Revenue’s organization and will make adequate computer security “non-negotiable.”
Bill Blume, in his first appearance as interim director of the Revenue Department, told a special Senate committee that he must restore public confidence in that department after hackers stole financial information belonging to 6.4 million consumers and businesses in mid-September.
Blume announced an additional $1.5 million in breach-related spending as he discussed how he wants computer security considered “a cost of doing business and an investment, rather than as an expense.”
“This was not the approach of the earlier DOR,” Blume told senators.
The former director of the S.C. Public Employee Benefit Authority, Blume succeeded Jim Etter, who agreed with Gov. Nikki Haley to leave the revenue agency at the end of last year.
Blume said he must first change the culture at the agency, which struggled with computer security.
Earlier this month, former Revenue Department security administrator Scott Shealy told state senators that his boss, the agency’s now-former chief information officer, did not make security a priority for years and did not heed staff recommendations. The agency’s deputy executive director also said he was unaware of security problems before the breach.
Blume said the agency’s computer security chief will report to its director, not to the chief information officer, to avoid competition. He also is developing a security council with agency leadership that will meet at least once a month.
“There can no longer be an argument without other people viewing it … especially if taxpayers’ information is at risk,” Blume told senators.
After the hearing, Blume said he has not fired any employees, but the agency’s more than 600 workers must accept the new culture. “You’re going to have change to it or there’s no place for you.”
He expects employees to adjust.
“It’s embarrassing for us to have this (breach) at the DOR,” Blume said. “So I think everybody I have talked to out there is willing to do whatever they can to make this change.”
But breach-related costs are mounting. Despite getting a $20.2 million loan to pay for credit monitoring, data encryption and consultants, the agency plans to spend another $1.5 million. Blume said he will get the money from savings within the department.
More than $1.2 million will go toward disaster-recovery systems installed by Boston-based EMC, which also is being paid $3.8 million for encrypting data on computer servers.
A contract with EMC was signed Tuesday. The encryption should be finished in April, seven months after hackers stole unencrypted data from the agency.
The department also is adding two jobs – a chief computer security officer and a computer security coordinator – for $174,000. The agency has posted those jobs along with a chief information officer.
Another $90,000 will go to the Mandiant computer consulting firm, which already has been paid $750,000 to help with fixes after the breach.
The tax department could have another new cost: hiring more part-time workers to process an expected increase in paper tax returns. Hackers stole information from returns filed electronically, though Blume was quick to point out that the hacking was a result of how the agency stored the information, not how it was filed.
“The e-filing is not a problem they should be concerned with,” he said.