IT SEEMS counter-intuitive to give the governor more control over computer security and other administrative duties after her Department of Revenue gave away our Social Security numbers and bank account numbers.
Until you think about what caused the problem. And how it perhaps could have been prevented. And how you fix things once they go wrong.
When you do that, the data breach at the Revenue Department becomes yet another reason our Legislature needs to pass a bill that puts the governor in charge of a new Department of Administration and transforms lawmakers’ primary job from writing laws to providing oversight of the way executive agencies administer those laws.
“This is a perfect time to do this,” Sen. Shane Massey told his colleagues on the Senate Judiciary Committee last week, when someone brought up the security breach, “because if we had had legislative oversight, I believe that somewhere, someone, at some time would have asked the Department of Revenue about security.”
I believe he’s right.
It’s true, as Sen. Kevin Bryant noted the other week, that it never would have occurred to most of us to ask the Highway Patrol if troopers were putting bullets in their guns. But if we had a Legislature that saw its main job as setting policy and understanding what goes on inside of state agencies well enough to make sure those policies are carried out, someone probably would have noticed that the agency that has possession of our most sensitive financial information had gone a full year without an IT security chief.
As it is, legislators know precious little about what goes on inside state agencies. They might hold hearings and ask probing questions when something goes wrong. Otherwise, most of what they know comes via annual budget hearings, where agency officials come before a panel of three or four lawmakers to explain why they need more money (or less of a cut) and changes to the laws they operate under. If they get 30 minutes, they’re lucky.
The Department of Administration bill, which the Senate should take up today, would require legislative committees to conduct routine reviews of the agencies in their jurisdiction. That means the job of understanding the agencies would be shared among all 46 senators and all 124 House members instead of just the 23 senators on the Finance Committee and the 25 representatives on the Ways and Means Committee.
“This is not some silver bullet,” said Sen. Vincent Sheheen, the primary sponsor of the legislation. “There are many Cabinet agencies that are dysfunctional right now, but it does force legislators to do their job, and it does force the executive branch agencies to do their jobs, and when they don’t, they can be held accountable by this legislative authority.”
Of course the Legislature could do oversight without giving the governor more power; indeed, there’s no good reason it doesn’t already do this.
But other aspects of the Department of Revenue security breach bolster the case for creating a Department of Administration controlled by the governor to replace the Budget and Control Board — a panel composed of the governor, treasurer, comptroller general and two legislators that oversees a central administrative agency by the same name.
Our Social Security numbers got hacked because no one was taking computer security seriously enough to institute such basic protections as double-password authentication and encryption of sensitive taxpayer data.
The people in charge of the Revenue Department didn’t know anything or apparently care very much about cyber security; that’s one reason no one was in any hurry to hire a new computer security director. What they knew about was taxes, much as the people in charge of most agencies know about the service they provide.
And the state’s central information technology division has no authority to set standards, much less enforce them; it’s essentially a vendor, selling its services to agencies that want to buy them, so Revenue was free to ignore its security recommendations.
That’s just crazy on its face, and I’m convinced that no one ever tried to change this because the IT division is part of the Budget and Control Board, which was created to be the political antithesis of centralized authority and, with its five bosses in charge, has no one in charge.
One of the things a well-designed Department of Administration can do is provide some oversight of its own — whether it’s in human-resource management or cyber security — because it has the expertise to question how agencies are handling those administrative matters that they are not expert at.
The other thing a Department of Administration — or any Cabinet agency — gives us is accountability. And knowing they can be held accountable changes the way people react when things go bad.
It’s not clear to me who should be held responsible for the breach. Some would argue that it’s unrealistic to blame anyone above the agency’s IT director — who can’t be held accountable because he resigned beforehand for what officials say were unrelated reasons. Others would argue that the blame should go higher, to then-Revenue Director Jim Etter or all the way to his boss, Gov. Nikki Haley.
Despite the absence of a clear-cut answer to that question, Mr. Etter resigned a month after the breach became public, clearly with the encouragement of a governor who understands that voters have every right to hold her responsible.
The result is that we have a new Revenue director who has no one and nothing to protect, and who can apply a fresh, critical eye to the organization. It’s the sort of change that’s needed after such a calamity, regardless of whether the previous director could reasonably have been expected to prevent it — and the sort of change it’s easy to imagine not occurring in an agency that’s overseen by a board instead of a governor.
Ms. Scoppe can be reached at firstname.lastname@example.org or at (803) 771-8571.