COLUMBIA — A bill, approved Tuesday by a state Senate committee, would offer credit-fraud protection for 10 years to S.C. taxpayers and others after hackers stole information belonging to 6.4 million consumers, children and businesses from the S.C. Department of Revenue last fall.
The bill now goes to the full Senate.
Resolving the hacking incident and preventing future cyber-attacks could cost the state hundreds of millions in the future, warned Senate Finance Committee chairman Hugh Leatherman, R-Florence.
Meanwhile, fraud-prevention companies eagerly are offering to help South Carolina recover from the nations worst-ever hacking of a state agency.
The head of a House special committee looking into the breach said he has received pitches from several companies. An executive of an identity-theft protection firm recently testified before a Senate committee. And the governors office is weighing a number of offers to provide a year of no-cost protection to consumers. Providing the first year of that protection will cost the state $12 million.
Every vendor out there knows this is an opportunity because were going to do something significant with IT (information technology) security, said House Majority Leader Bruce Bannister, R-Greenville. Theyre looking for a good sales year in South Carolina.
The bill approved unanimously Tuesday by the Senate Finance Committee also creates:
• A department of information security that reports to the governor;
• A tax credit of $300 for individual filers and $1,000 for joint filers to buy credit protection;
• An identity-theft unit at the S.C. Department of Consumer Affairs; and
• A pair of committees to recommend statewide technology and cyber-security policies.
State Sen. Harvey Peeler, R-Gaffney, said he was concerned about the new staffing and layers of government created by the bill, developed after 11 meetings of a special committee. I have not seen this much creation since Genesis.
While no immediate cost estimates were available, Leatherman said he expects the state could spend hundreds of millions.
Whatever the cost is, we have to do whatever we can to protect our citizens, Leatherman said. They have been compromised. They have got to live with that the rest of their lives. We cannot close this door when this horse got out, but I sure hope we can keep the doors closed next time.
A House special committee probing the breach has not introduced a proposed bill to address the breach. However, representatives have introduced bills to create a state computer security office and develop a fund to reimburse identity-theft victims.
Helping people spot credit fraud was the goal of signing Experian to a $12 million one-year, emergency state contract, reached just before Gov. Nikki Haley announced the breach in October.
Experian agreed to provide a year of credit monitoring for 5.7 million taxpayers and their children. More than 1.3 million consumers have registered for the credit monitoring, the Revenue Department said. The deadline to enroll for the first year of free-to-consumers monitoring is March 31.
Now, fraud-prevention companies are vying to provide aid to consumers during a second year. Experian has offered to provide a second year of coverage for $10 million.
The House has set aside $25 million in next years state budget, which takes effect July 1, to cover another year of credit protection, which lawmakers insist will be awarded through the states formal bidding process. Any remaining money would pay for other hacking-prevention work, such as proposals to start a state department of information security.
Haleys office is talking to companies and lawmakers about providing South Carolinians with the best protection at the least cost and least hassle to them, spokesman Rob Godfrey said.
Clarissa Cerda, chief legal officer at identity-theft protection firm LifeLock, recently testified for more than hour before a Senate special committee on the breach at the suggestion of a lobbyist.
Cerda said credit monitoring with alerts of bogus loans and credit cards did not go far enough to protect consumers from ID theft. She said her company was more proactive, looking for other forms of fraud such as claims for medical and government benefits.
As thieves have become more sophisticated, the crime has moved beyond the solutions employed by most states, Cerda testified. Youre in a position to really consider bringing a 21st-Century solution to address this 21st-Century problem, rather than taking the more reactive, traditional approach of just addressing the very limited symptom at hand.
Cerdas testimony led to amendments in the Senate bill that widened the definition of identity-theft protection to include services offered by LifeLock. Senators also approved tripling to $1,000 the maximum tax credit to buy credit protection for joint filers to accommodate higher-price programs such as LifeLock, which can cost up to $300 a year per person.
Cerda did not make a formal pitch for her company during her testimony, but senators asked her to send cost estimates during the hearing.
Some identity-theft experts say it is not appropriate for companies to be pitching for business now.
Its aggravating to me that this becomes a sales opportunity, said Avivah Litan, an identity-theft analyst with the Gartner research firm.