COLUMBIA, S.C. (AP) - South Carolina may spend $27 million next fiscal year on continued efforts to secure taxpayers’ personal data and provide another year of credit protection following the 2012 hacking at the state’s tax-collection agency.
The state budget may also require all state agencies to adopt cyber-security standards that are consistent across state government, to guard against another debacle. Nineteen months after a cyber-thief stole unencrypted data of 6.4 million residents and businesses from the Department of Revenue, it’s unclear how many agencies are adequately safeguarding their own data.
“We have no way of knowing if agencies are complying,” said Marcia Adams, director of the Budget and Control Board.
Nothing in state law gives its information technology division the authority to assess agencies’ progress or make policies mandatory, she said at a recent Cabinet meeting.
A clause in the House’s budget plan for 2014-15 would provide that authority. The Senate Finance Committee last week put a similar clause in the budget plan it’s crafting for the fiscal year that starts July 1. The Senate will debate its budget plan next month.
Gov. Nikki Haley said she believes the mandate is essential. She has required her Cabinet agencies, which include the Department of Revenue, to collaborate with the board’s IT division since November 2012, a month after she announced what was the nation’s largest hacking of a state agency.
Currently, each agency is responsible for its own security infrastructure.
Senate Finance Chairman Hugh Leatherman, R-Florence, said that needs to change, to both improve security and lower costs by eliminating duplication.
“State government spends a ton of money on IT equipment, and right now each agency is out there doing its own thing,” he said.
Legislators gave the board $11 million in the current fiscal year to start implementing cybersecurity steps recommended by Deloitte & Touche, which was hired last March to review agencies’ technology systems.
The newly structured IT division offers, at no cost to agencies, network monitoring and security solutions such as laptop encryption and an extra log-in step for accessing laptops remotely - a step consultants determined would have prevented the hacking. It has started issuing policies, assessed at least 10 agencies and offered a self-assessment tool for others. Security awareness training for all state employees began in February.
The Budget and Control Board is seeking $20.7 million next fiscal year for round two of the recommendations. That includes $5.7 million in operating money for the 21-person information security division and three-person privacy office, which is tasked with determining what data needs protected. The board’s seeking an additional $6.1 million to maintain and expand the division’s services. It’s also seeking $8.7 million in one-time money - $4 million more than given this year - for computer upgrades and more data protection capabilities.
The House budget plan, passed last month, funds the request.
It also includes $6.5 million for a third year of state-paid credit monitoring services for taxpayers affected by the hacking. It would mark the second year of the state’s contract with Texas-based CSIdentity Corp., awarded last September. The state is spending $8.5 million on that contract this year.