STATEMENT FROM SENATOR VINCENT SHEHEEN ON DEPARTMENT OF REVENUE DATA BREACH AND THEFT
For weeks, I along with other many others have held back from calling a press conference as we waited for action and information from the Department of Revenue and this Administration.
But at this point, somebody has to speak up for those of us who are taxpayers of South Carolina.
Unfortunately, over the last few years we in this state have gotten used to a display of incompetency and dysfunction on the part of our state government. From agency to agency and leader to leader, our poor state has seen been subjected to ineptitude on countless occasion and at a shocking scale.
But the spectacle of the hacking scandal at the Department of Revenue, and its handling, is surely the Mother of All Government Dysfunction.
When it occurred- we were immediately told that it was just one of those things that happen. And “there was nothing more that could have been done.”
Anyone with a mind knew that was false. Within a week, I made one simple phone call to the State Information Office and learned that the D.O.R. had refused free data breach monitoring from the State Information Office that almost every other agency and even school districts were using – a system that very likely would have detected the breach.
We were told that the agency didn’t encrypt our personal data, that it forced us to give them, because other states weren’t doing it.
I picked up the phone and called the North Carolina head of their department of revenue, and he told me that they encrypted all their important data for years now. And that he couldn’t imagine that our state officials would not have failed to take that step.
Then, when a group of us simply asked the Administration and the Department for a copy of the DOR data security policy so we could better understand what went so terribly wrong, we got this – an answer you would expect in a third world banana republic- we were essentially told that they couldn’t tell us the policy that had failed so badly because it might “further compromise” security. I would have laughed if it hadn’t made me want to cry.
When we asked how someone could have used the internet to gain access to this information, we were told the internet wasn’t used. Then we find out that the internet was used to send emails to gain access to passwords within the agency.
And then, weeks and weeks later when we finally receive a copy of the contract with the private contractor who was supposedly providing security. The important parts ARE BLACKED OUT!
Seriously, what happened to transparency in government? What happened to honesty with those of us who just got our information stolen? What happened to an open book on the operations of state government?
Next the Department and Administration decide that the federal government would be a convenient scapegoat, and so somehow, which I still don’t understand, they cook up the idea to blame the IRS.
Turns out the IRS encrypts and protects its data, and issued a policy suggesting that states take every step available to provide higher security to their data.
Then just yesterday, more than a month after the state allowed the personal information of more than 3.7 million of us to be stolen, we hear a little more information leaked out from the Department under questioning at a senate hearing. We are told now that this all could have been avoided for a $25,000 password system! That the Department didn’t even think that a information security officer was a high enough priority to fill the job for almost a year!
Friends, this administration has allowed a tax to be placed on every single one of us for the rest of our lives, man, woman, and child. A tax requiring us to pay, ourselves, to monitor our credit and financial information for the remainder of our lives.
And it’s just not right. So we are demanding and calling on other more responsible leaders to help clean up this mess.
1) We are presenting today, to the non-partisan and professional staff, at the Legislative Audit Council letters requesting that an independent and comprehensive audit be conducted immediately of the DOR. To find out what really went wrong, why it went wrong, what should be done to fix it, and who ultimately bears the responsibility. Because so far, all we have seen is a lot of ducking, weaving, and excuse making. It’s time to take the politicians out of the loop. Because if you can’t trust them to tell you what went wrong, how can we trust them to tell us its been fixed.
2) And because the government imposed this tax, this cost, on our citizens. We are demanding that for a period of least five years and hopefully longer, the legislature pass a tax credit allowing every citizen and business in South Carolina a tax credit for the cost of obtaining the necessary credit protection.
3) And if the state is really serious about trying to correct the dysfunction of its agencies and incompetence of its leaders- it will promise to reimburse any South Carolina citizen who suffers a theft of his or her assets as a result of the compromised data.
Hopefully, our government has reached its low point in modern history. Hopefully, we will look back on this episode as the wakeup call we needed in government and in our state to change the way business has been done during the last decade. We will do our best to make sure that is true.