South Carolina will miss Saturday’s deadline set by some states for notifying residents when their personal data has been stolen. Still, security experts note state breach notification laws provide plenty of wiggle room.
Gov. Nikki Haley said this week the state will notify the 3.8 million individual tax filers whose electronically filed returns were stolen from the state Revenue Department’s computer servers. Their compromised data includes unencrypted Social Security and bank account numbers.
Her spokesman said Friday those letters and emails should go out within two weeks.
“We will go above and beyond to make sure the people who this happened to know of what has happened and how they can protect themselves,” Haley said Tuesday.
Revenue officials estimate that 1.3 million – or more than a third – of compromised filers live outside South Carolina. Many may have no knowledge of the hacking, first announced at an Oct. 26 news conference.
All but a few states have laws requiring residents to be notified. Most don’t specify a timeline, with laws worded like South Carolina’s “most expedient time possible and without unreasonable delay.” But Florida, Ohio, Vermont and Wisconsin require notification no later than 45 days after a breach is discovered.
That means the deadline is Saturday for affected tax filers living there.
That’s 45 days after the Secret Service notified state officials of the breach – and more than 10 weeks after the data’s removal.
Even in states without a clear deadline, an analysis of legal language puts 45 days as a maximum, said Gant Redmon, general counsel at Massachusetts-based breach management firm Co3 Systems Inc.
“I have never seen where anybody would take comfort in interpreting any of those laws as longer than 45 days,” he said.
But, he added, that’s subject to interpretation.
“Given a breach of this magnitude, I can understand why it may take a little longer to put an action plan together,” he said.
Haley’s office said the state had to wait to learn precisely whose data was taken.
On Tuesday, the governor said the electronically sent tax filings of 3.8 million individuals and 699,900 businesses were taken, along with the Social Security numbers of 1.9 million dependents, 3.3 million bank account numbers and 5,000 expired credit cards. Numbers previously provided were just estimates.
“We now know exactly who they were. We know who has been breached, so everybody will be notified,” Haley said in releasing details from Mandiant, the computer security firm contracted Oct. 12 to close the security hole and determine what happened.
“Anyone that electronically filed from the years of 1998 forward would need to watch for that letter and that email to see if they were part of that list,” Haley said, a day after receiving Mandiant’s report.
The revenue agency is in the process of getting bids on printing and mailing the letters, Godfrey said, in explaining why they haven’t gone out yet. The state’s information technology division is just one vendor participating in the bid, he said.
“We are working to deliver South Carolina taxpayers the best possible service at the least cost – and we will begin mailing letters to affected taxpayers within two weeks or sooner if possible,” Godfrey said.
The founder of a research firm on information security said precision is preferred, and leeway exists even in states with a certain time frame.
“The key to success is, is the organization doing things to ensure accuracy in reporting and not stonewalling?” said Larry Ponemon, chairman of the Michigan-based Ponemon Institute. “It looks like South Carolina is attempting to do all of the right things. Sometimes it’s better to be correct and surgical than rush out a notification.”
Still, he said, the notification seems slower than expected.