The massive theft of taxpayer information is another indication the governor’s office doesn’t need additional responsibilities, state House Minority Leader Harry Ott says.
“We have seen the last two governors run deficits. We’ve seen things like this hacking where the responsibility clearly falls under the duty of the governor. They have not shown me they have a better ability to deal with finance or other administrative duties. They have failed to execute their duties,” the St. Matthews Democrat said.
The scandal gives the Legislature good reason to think twice about replacing the Budget and Control Board with a Department of Administration, he said.
“I see no reason to rush to ... transfer additional duties to the governor’s office … when they have not demonstrated a very good use of the power they already have,” Ott said.
Ott and other lawmakers spoke Thursday at a legislative workshop for the media sponsored by the South Carolina Press Association, the South Carolina Broadcasters Association and The Associated Press.
Sen. Harvey S. Peeler Jr., the Senate majority leader, acknowledged that the hacking scandal will affect the debate about gubernatorial powers, but said citizens will realize that “for the executive functions, the buck needs to stop at the governor’s desk. For the legislative functions, the buck needs to stop right here” with the Legislature.
The Gaffney Republican suggested that people are worrying too much about what might happen as a result of the hacked income tax forms.
“We need to prepare for the worst,” he said, but we can also “hope for the best.”
People worried that computers would go haywire and life as we knew it would change on “Y2K” but the actual event was anticlimactic, Peeler said.
Ott responded, “Let me tell you, the hacking did occur, senator. It’s not like Y2K. We can’t pretend this never happened. Many people had their personal information stolen. It happened. You can stick your head in the sand if you want, but it happened, and millions of South Carolinians are angry about it.”
“Harry, I know you’re trying to place some blame on the governor,” Peeler replied. “We need to put an Internet net over the entire state and protect all of the agencies, and whatever it costs, that is what the state is going to have to do.”
The discussion about the governor’s powers was part of a larger discussion about the hacking. The tax returns of 3.8 million residents and 700,000 businesses were stolen from South Carolina Department of Revenue computer servers in the largest hacking of a state agency in the nation’s history.
Ott said it’s “totally unacceptable” that the Department of Revenue’s database full of Social Security and bank account numbers was so vulnerable that all it took for a hacker to gain access was one employee opening a virus-infected email.
“This was a low-tech breach. We heard testimony that you needed a skill level of 4 on a scale of 10,” Ott said. It succeeded because “we failed to have security in place” and “even when we knew” a breach had occurred, the agency didn’t have a protocol for dealing with it.
“I have not heard anybody come forward and accept responsibility for this whole cyber security mess we find ourselves in now,” Ott said. “Until we know what went wrong, we can’t fix the problem and we have a certain amount of exposure” to having it happen again.
Sen. Kevin L. Bryant, R-Anderson, who described himself as the “techno-geek of the Senate,” said he has “never found a need to call the Department of Corrections and ask them if they are locking their doors at night or calling (law enforcement) and asking if there are bullets in their guns.”
Likewise, Bryant said he was shocked to discover that the Department of Revenue “did not have the layers of protection that most assume” they would have on their sensitive data.
“All databases are vulnerable for a breach, but at lunchtime the lion goes after the slowest zebra,” he said.
Bryant said it’s possible the breach could have been prevented if the state had invested as little as $60,000 into security features.
Rep. Bruce Bannister, R-Greenville, said state employees need to be taught not to open suspicious emails, but “there are going to be times” when the system is compromised, so “you have to have a managed, monitored network” to spot breaches and a protocol for responding to them.
He said various state agencies, “have come up with their own hodgepodge of solutions for security. Not all the state agencies are on the same page.”
Rep. Gilda Cobb-Hunter, D-Orangeburg, said that’s a problem.
“I don’t think we ought to be allowing agencies to maintain their own security. It’s just too unsafe,” she said. “Our state information office is already in place and ought to be responsible for technology and security needs.”
Cobb-Hunter also pointed out, “There is a proviso in our state budget that creates a technology committee that allegedly has been reviewing the technology needs of the state. We should tweak that to bring in the accountability and transparency we need.” She said the committee is comprised of legislators and technology experts.
Cobb-Hunter expressed her concern over the governor’s decision to hire Experian to monitor South Carolina taxpayers’ credit reports.
“I am concerned about a no-bid contract with the potential to make a whole lot of money off the taxpayers of this state,” she said. She called it “a sweetheart deal.”
Worse, it may have been unnecessary, legislators said.
“What Experian has offered is already available as part of the (federal) Dodd-Frank Act,” Cobb-Hunter said. “Here we are advertising a service that taxpayers can already access for free.”
“This contract is giving us nothing more than we already had,” said Rep. Mandy Powers Norrell, D-Lancaster. “I’m just a freshman lawmaker and $12 million sounds like a lot of money to me, and that’s just for one year of what we call security for our people, but it’s not security, it’s credit monitoring.
“We paid Experian to look at our Experian credit report one time a year. We can all check our credit report for free once a year. There is nothing we can do about the fact that our Social Security numbers and bank numbers are out there.”
Bannister said, “We’re giving Experian access to several million potential customers. I’d like to know how many of our citizens decided to go ahead and pay for additional services by Experian.”
Contact the writer: firstname.lastname@example.org and 803-533-5552.