In the months leading up to reportedly the worst cyber-security failure in U.S. history at a state agency, S.C. Department of Revenue officials deemed data encryption too costly on one hand while spurning offers of free cyber protection from another state agency with the other.
The result was an unprecedented breach of security and public trust that led to the theft of personal information, including Social Security and bank account numbers, of 3.8 million taxpayers, 1.9 million dependents and 700,000 businesses, the taxpayer price tag for which currently is at $20 million and growing.
On Tuesday afternoon, the House Ways and Means Committee took up a Senate-passed bill (S.334) that will run that figure up even further. Time ran out on the debate before a vote could be passed to send it to the full House, but that vote is scheduled to come this morning. If passed, it could reach the House floor by next week.
Sponsored by Senate Finance Committee Chairman Hugh Leatherman, R-Florence, S.334 would create an Identity Theft Unit at the S.C. Department of Consumer Affairs ($1.2 million total cost, $662,722 recurring); a Division of Information Security under the state Budget and Control Board, with a chief information security officer to be appointed by the governor with consent of the Senate ($1.75 million total cost, $1.5 million recurring); and a Technology Investment Council and Joint Information Security Oversight Committee, for a total recurring annual cost of $2.18 million, according to a cost projection by the Office of State Budget.
Under the Senate bill, 21 full-time positions would be needed with the creation of the Division of Information Security and Identity Theft Unit. That number would grow to 35 with the proposed House changes.
Appointments to the proposed seven-member Technology Investment Council and nine-member Joint Information Security Oversight Committee would be controlled primarily by the Legislature under Leatherman’s bill. If the legislation as written becomes law, Leatherman, as the Senate Finance Committee chairman, would have appointment powers with the new panels.
The bill also would create state income-tax deductions for taxpayers who are not eligible for the free protection but who wish to purchase identity theft protection – up to $300 a year for an individual or $1,000 a year for a joint return or return claiming dependents.
Additionally, the legislation would extend free credit monitoring and identity theft protection for eligible South Carolinians for another five years, though the Office of State Budget’s fiscal-impact statement on the bill didn’t project the taxpayer cost of that provision.
Beyond cost, however, there’s one major proposed change to the Senate version that might draw the ire of the Senate and potentially kill the bill’s chances this year. Rather than create a Division of Information Security under the Budget and Control Board as passed by the Senate, a House amendment would create a new Cabinet-level state agency, the Department of Information Technology, that would remove procurement and information security duties from the Budget and Control Board and absorb the BCB’s existing Division of State Information Technology – the very agency whose free offer of data protection was refused by the DOR prior to the 2012 security breach.
Under the House amendment, the head of the proposed new IT agency – a gubernatorial appointee in the Senate version – would be hired by a newly created Joint Information Technology Committee, a seven-member body comprised of two gubernatorial appointees, two Senate appointees, two House appointees and a rotating chief information officer from one of the state’s three research universities: the University of South Carolina, Clemson University and the Medical University of South Carolina.
Also, the House amendment would eliminate the Technology Investment Council as proposed in the Senate version and would rename the Senate’s proposed Joint Information Security Oversight Committee to the Joint Information Technology Committee.
Several members of the House Ways and Means Committee said during Tuesday’s meeting that they weren’t pleased with either the language included in the Senate version, passed by the Senate on April 16, or the new system it would create, not to mention the length of time – five years – being considered.
“People are saying, ‘Why are you hurrying up trying to do it?’” said Rep. Brian White, R-Anderson and the Ways and Means chairman. “All of us do not want there to be a gap in coverage from what Experian is currently providing and what mechanisms are out there, and this piece of legislation would prevent that from happening.”
But Rep. Harry Ott, D-Calhoun and the immediate past House minority leader, said extending credit protection for five more years before knowing how much such services will cost – the state won’t begin receiving bids for those services until June – is irresponsible lawmaking.
“I really and truly do not know why we are in such an almighty rush,” Ott said. “There is nobody in their right mind that will sit here and pass a bill giving the citizens of South Carolina a guarantee without knowing what it’s going to cost.
“I want to know how much it’s going to cost before I say I can afford it. I don’t think it’s unreasonable to have an idea of what the cost of something is before you make a commitment to give it to somebody.”
White said of the $20 million spent thus far, $12 million was for Experian to provide protection for the first year and another $8 million was on immediate security upgrades. Published reports indicate Experian wants to continue to provide the service to South Carolina at a cost of $10 million per year.
“And what exactly have we gotten for the $12 million we paid so far?” Ott asked. “There’s a lot of people that don’t think we’ve got a plug nickel’s worth of service for that $12 million. Some people don’t think that the product they are providing is worth half of the $12 million.”
White agreed, saying he’s heard similar arguments.
“That’s why the state sent out the RFP (request for proposal) in the first place,” White said.
For others, the issue of establishing a new division of information technology responsible for making sure other agencies cooperate is a recipe for disaster that doesn’t tackle the main issue – accountability – that got the state in trouble to begin with.
“What we found with this breach is they all played Keystone Cops and started pointing in the opposite direction,” Rep. Jim Merrill, R-Berkeley, said. “You could never pin down who was responsible for the breach. … What we’ve danced around and never said is that there was some attempt to hide the breach.”
“So what I get concerned about is vesting too much authority in a single entity, that entity being an agency head,” Merrill continued. “I don’t like there being somebody who could potentially be under a political thumb. I don’t like that the Senate is going to be the advice-and-consent entity when we all will be held responsible for what becomes of this. And I don’t care for the actual makeup of the committee.
“We don’t want to get to the point where we’re just passing something that perpetuates the problem instead of solving the problem. I think we’re setting ourselves up to fail here.”
Reach Aiken at ron@thenerve.org. Follow him on Twitter @RonAiken. Follow The Nerve on Facebook and on Twitter @thenervesc.