NINETEEN months ago, hackers broke into the S.C. Department of Revenue computers and made off with the Social Security numbers and other sensitive financial information of 6.4 million current and former individuals and businesses in our state.
We have not yet begun to experience the ramifications of this breach, which will haunt South Carolinians for decades.
We were all outraged, and justifiably so, and the Revenue Department set about improving its security system — which is to say, it set about bringing it up to the bare minimum you would expect of any entity that possesses other people’s financial data, which is far more than it had at the time of the breach.
And we discovered that not only the Revenue Department but our entire government has security systems that would make Target blush, from a central administrative agency with no authority to make anybody do anything to agencies whose directors are clueless about cybersecurity.
Our Legislature promised to fix the problem. Did we mention that the largest breach of state government data in U.S. history occurred 19 months ago? And that, as a Senate panel was reminded last week, outside of the Revenue Department and a smattering of proactive agencies, there is no reason to think that our personal information is any safer today than it was 19 months ago?
The problem is not the agencies. Or at least it’s not primarily the agencies. The agencies are busying themselves fulfilling their legislatively created mandates.
The problem is the Legislature, which has not added “keep our data safe” to those mandates.
Specifically, since the Senate passed a bill last year to reduce our vulnerabilities, the problem is the House, which held a bunch of hearings … right after the breach. And produced precisely nothing. The House hasn’t even adopted the Senate bill, which, while certainly not perfect, is light years beyond the status quo in terms of protecting state agencies — and by extension, us — from another attack.
This is not rocket science. It is not even computer science.
It is governance. Which our legislators claim to be expert at. And if they’re not, then they ought to just resign and make way for someone who is or at least aspires to be.
The governing principles are not even complicated.
Our state’s central information technology division has no authority to set standards, much less enforce them, so Revenue ignored its recommendations. The people in charge of the Revenue Department didn’t know or apparently care much about cybersecurity. They knew about taxes, much as the people in charge of most agencies know about the service they provide. So we got hacked.
What we need is a central office that can set and enforce security standards across state government. It should report directly to the governor rather than a commission, because having one boss instead of multiple bosses leads to faster and surer responses to problems. And the governor ought to be able to hire and fire that director.
The Senate bill creates that central authority, replacing a disjointed status quo that allows each agency to determine how careful to be with our personal information, even though agency directors aren’t experts in cybersecurity and might not want to spend money or adopt time-consuming procedures.
It was inconceivable that our Legislature could leave town last year without putting the mechanisms in place to protect us from further attacks, and yet it did. It is inconceivable that we are three months into the second legislative session after the breach, and the House still has not lifted a finger to protect us.
It would be the grossest of dereliction of duty for representatives to continue to do nothing.