IT DOESN’T appear at this point that it would be fair to lay all the blame for the Revenue Department’s computer hacking debacle on Gov. Nikki Haley or top officials with her agency for failing to correct the inadequate security that previous governors likewise had ignored and that apparently plagues many other states as well.
But the key is “at this point.” We are learning new information nearly every day about the size, scope and causes of the data breach that exposed 4.25 million tax records to hackers. That means we don’t know enough yet to say for certain who should be held accountable, let alone what long-term policy changes need to be made.
The governor, and her predecessors, certainly share some degree of blame for not realizing the growing threat and making cyber-security a priority, as does the Legislature. In retrospect, it seems clear that our governors and legislators should have been asking the Revenue Department and other state agencies how they were protecting the sensitive personal information that South Carolinians had no choice about turning over to them.
The Budget and Control Board’s Division of State Information Technology, which ought to be thinking ahead of the curve on security, even if it doesn’t have a portfolio to match its name, could have asked, and asked loudly, for authority to implement and enforce government-wide security standards. There are just too many chances that the management at individual agencies won’t make computer security a sufficient priority, even if their IT managers raise the issue.
Certainly, the Revenue Department isn’t blameless. It declined to encrypt the information on our tax returns, even after the Department of Motor Vehicles realized it needed to do that; and it declined to use a free state monitoring service that might have alerted officials about the breach before the federal government detected it; it’s noteworthy that the agency signed up for the service after it learned of the hacking.
But even as we sort through the growing body of information to determine who, if anyone, was derelict in allowing our personal data to be exposed, a new dereliction clock started running on Oct. 10. That clock will measure how well officials address the problem, regardless of who is responsible.
Is Gov. Haley doing enough to make sure all current and former S.C. taxpayers learn of the attack? How will she ensure that those without computer access receive the protection the state is providing? If her response is inadequate, how will the Legislature correct that problem? Was the credit-monitoring contract with Experian the right answer, and did we get a good deal? If not, will the governor or the Legislature pursue another course?
Is the state doing enough to reduce the risk of future breaches, or to reduce the amount of sensitive data that can be accessed in a breach, at the Revenue Department and across the government? Is it doing enough to detect breaches when they occur and to limit and repair the damage once they are detected? Are officials giving us reliable information, or are they sublimating a full accounting in order to deflect political blame?
Yes, the criminal who broke into our computer system and stole our data is ultimately to blame. But we have a right to expect that state officials will limit the damage that is done to us — particularly the most vulnerable of us — as a result of their inadequate efforts to secure our information. And we have a right to expect them to learn from this disaster and implement policies to reduce our risk in the future.