COLUMBIA, S.C. (AP) — South Carolina lawmakers voted Wednesday to pursue a multi-year contract for credit services that provide taxpayers with better protection from identity theft after last fall’s massive hacking of personal data from Department of Revenue computer servers.
Lawmakers hope a competitive bidding process attracts services beyond those offered in the one-year, $12 million Experian contract that Gov. Nikki Haley negotiated last October after learning of the theft.
It was later determined that the thief took unencrypted Social Security and bank account numbers of 6.4 million residents and businesses.
In a related matter, consultants with Deloitte & Touche told the Budget and Control Board that creating a statewide cybersecurity approach in an effort to prevent another such attack will cost an estimated $15 million next fiscal year.
The amount is in line with legislators’ budget plans for 2013-14. The House plan set aside $25 million to cover both additional consumer protections like what Experian has been providing — which some have estimated at $10 million — and fixing the state’s decentralized computer security system.
That’s sheer coincidence, said House Ways and Means Chairman Brian White.
“We knew there would be costs to the overall system,” said White, R-Anderson, who’s on the five-member budget board. “We just put some money in a pot.”
The Senate plan up for debate on that chamber’s floor next week also sets aside $25 million for the effort, though it designates the money according to its cybersecurity plan.
The state’s decentralized approach to computer security, as well as inconsistent training for employees, makes it difficult for agencies to guard sensitive data, said Mike Wyatt, director of security and privacy for Deloitte & Touche, which was awarded a $3 million, three-year contract in March to evaluate agencies’ systems and make suggestions with cost estimates.
“There’s really no linkage between security operations in place today,” Wyatt said.
His comments, as well as the company’s recommendations, closely follow those made by state Inspector General Patrick Maley last December, which the Senate used to help craft the bill it passed last month. White said the House will take up that bill soon. The regular session ends in a month.
The reorganization involves creating an information security division to centralize oversight and standard-setting, while allowing each agency’s technology staff to carry them out according to their needs.
Setting up and hiring staff for that new division, training employees across state government, and implementing technology recommendations are estimated to cost nearly $15 million in 2014-15. Recurring costs should be more than $7.3 million yearly, Wyatt said.
The Senate bill also calls for up to 10 years of state-paid credit protection services for taxpayers beyond those provided by Experian. That $12 million, one-year contract represented the largest single amount among $25 million spent so far in clean-up costs and security updates initiated following the hacking. Its credit monitoring service informs customers about new credit card accounts after they’re opened and provides over-the-phone resolution assistance after people determine they’ve become an identity theft victim.
Taxpayers had until the end of March to sign up. More than 1 million met the deadline. The bid request asks companies to transfer those customers to the new contract and possibly enable the Department of Revenue to sign up people directly.
Senate Finance Chairman Hugh Leatherman, a member of the budget board, stressed Wednesday that the request for bids must seek heightened services.
Haley said the bidding process should ensure a competitive rate with companies seeking to outdo themselves.
“We’re trying to get the most security and the most for our money,” she said.
