Centralizing South Carolina’s computer operations could lead to stronger, standardized security protocols in the wake of a data breach that exposed tax records of up to 4.25 million taxpayers and businesses, the state’s top technology officer said Thursday.
“The best way to prevent breaches is working together,” said Jimmy Earley, director of the S.C. Division of State Information Technology.
Most states either have centralized technology offices or technology chiefs who control computer procedures and testing, said Doug Robinson, executive director of the National Association of State Chief Information Officers.
South Carolina does not.
The S.C. information technology division, an arm of the State Budget and Control Board, offers – sometimes at a cost – a variety of technology services to state and local agencies. But no agency is required use those services, Earley said.
Agencies have their own information technology operations and many don’t use services of the budget board’s information technology division, including network monitoring and testing.
Among the state agencies not using those services was the S.C. Department of Revenue. Overseas hackers were able to use state-approved credentials to steal unencrypted tax records from the Revenue Department in September. Those records belong to as many as 3.6 million individual taxpayers and 657,000 businesses.
Soon after learning about the breach, the Revenue Department started using the state information technology division’s free network-monitoring service that can catch installation of viruses and unusually large data uploads within minutes, Earley said. The Revenue Department also started encrypting tax data.
Gov. Nikki Haley has asked Patrick Maley, the state’s inspector general, to work with the technology officers at state agencies to develop security standards. Haley wants to make the budget board’s technology division part of a Department of Administration. Haley’s proposal to create that new department, which would be under her control, failed to win approval in the Legislature this year.
Asked Thursday if the governor supported a centralized state technology office, her spokesman Rob Godfrey said, “She looks forward to receiving (the inspector general’s) report and then moving forward to make South Carolina state government’s IT security as strong as possible.”
Having standard protocols under one office – whether or not a state has multiple chief technology officers – is the best way to prevent data breaches, said Robinson of the national association.
“You need to have someone with authority over operations,” he said. “When someone opens a window – because, ‘It’s hot in here’ – is when you get in trouble. You have to have everyone in agreement to keep the windows closed.”
Earley worked at the S.C. Department of Motor Vehicles before becoming the state’s technology chief last year. He led efforts to encrypt Motor Vehicle data sitting in servers after the agency began to verify Social Security numbers from people trying to get driver’s licenses.
“If you are entrusted with sensitive data of South Carolinians, you have a responsibility to protect it,” Motor Vehicles director Kevin Shwedo said.
Earley and Shwedo declined to say whether the Revenue Department should have encrypted data in its servers. Shwedo said agencies need to make security decisions based on the threats they face.
“I have no insight in their operations,” Earley said. “I’m not going to guess what they shouldn’t or should do.”
The state technology division works with 54 state agencies – including the departments of Social Services, Mental Health, Employment and Workforce, Insurance, Natural Resources, Education, Public Safety and Corrections. The division also works with: nine cities, including Columbia and Greenville; 15 counties, including Lexington, Kershaw and Charleston; five utilities; 15 libraries; and 82 school districts.
The state technology division provides network monitoring for free with a grant from the U.S. Department of Homeland Security. Much of what the division fights are programs that would spy on what people type into computers, said Jim MacDougall, the state’s chief technology security officer for the past decade.
The technology group holds an annual conference each October to share cyber-security updates. About 300 people attended this year’s event held a day before the Secret Service told state officials about the breach at the Revenue Department.
MacDougall said he visits with every agency in the governor’s cabinet to pitch the division’s services. He said he also has promoted encrypting data in servers, though neither he nor Earley could recall making any special effort with the Revenue Department.
Still, the technology division helped the Revenue Department track down a virus last year that would send out spam e-mails but did not have the capability to spy on users or upload information, MacDougall said.
Since the Revenue Department data breach was announced Friday, more than 520,000 people have registered for one-year credit-report monitoring to better protect themselves from identity theft. The state will pay for that coverage, at a cost of up to $12 million.
At a cabinet meeting Thursday, Haley asked state agency leaders to deliver proposals by Tuesday on how to tell the public more about enrolling in credit monitoring.
State employees are not allowed to help people register for the monitoring because of privacy issues, said Thad Westbrook, an attorney with Columbia’s Nelson Mullins law firm, hired by the state to examine liability issues associated with the data breach.
Agencies could link to information about the breach on the Department of Revenue website. Some challenges exist, such as enrolling the state’s 29,000 prison inmates.
No news about the hackers was released Thursday. Michael Williams, the Secret Service’s special agent in charge in South Carolina, declined to discuss the investigation of the hacking, which his agency is leading.