South Carolina’s tax collection agency will receive a $20 million loan to pay for the state’s response to the hacking of millions of taxpayers’ personal data.
The Budget and Control Board on Wednesday approved letting the Revenue Department borrow from the state’s insurance reserve fund. It also approved hiring a consultant to assist in the hiring of an expert on centralizing the responsibility of agencies’ computer security.
The loan covers decisions made by Gov. Nikki Haley and Revenue Director Jim Etter after the U.S. Secret Service notified state officials of the breach Oct. 10.
“It’s $20 million that had to be spent right away,” Haley said. “Those things needed to be spent.”
The state owes the largest single amount – $12 million – to the credit bureau Experian. The first half is due Saturday. The state’s contract provides a year of credit monitoring for taxpayers who sign up by Jan. 31, as well as dedicated call center operators. About a million people have signed up so far.
Other bills coming due include $200,000 to a public relations firm, $290,000 to a legal firm, and $750,000 to Mandiant, whose computer forensic experts determined what happened and recommended how to better secure the agency’s data.
The revenue agency also expects to spend $5.6 million on two Mandiant recommendations – the bulk of it to encrypt stored data. About $25,000 will buy gadgets that produce temporary passwords for employees logging into the system remotely. Mandiant officials have testified either of those two things could have prevented the nation’s largest hacking of a state agency.
The electronically filed tax returns of 3.8 million adults and 700,000 businesses were hacked in mid-September. Stolen data included unencrypted Social Security numbers – of adults as well as their 1.9 million dependents – and bank account numbers.
Notices to affected taxpayers are starting to go out this week. All 3.8 million should be notified by year’s end, according to Haley spokesman Rob Godfrey.
Haley said the notices will cost $1.3 million.
The governor said it’s appropriate that Revenue get a loan from insurances reserves, which the state has previously drawn from to cover expenses stemming from natural disasters.
“When this happened, I related this to a hurricane. It was rapid response,” Haley said.
The insurance reserve fund functions like an insurance company, to which agencies and local governments pay premiums that cover property damage and liabilities ranging from school bus wrecks to lawsuits.
Haley said the money will be paid back.
But Senate Finance Chairman Hugh Leatherman repeatedly questioned what would happen if the Legislature doesn’t designate the repayment.
“Only the General Assembly can appropriate money,” said Leatherman, R-Florence, who sits on the five-member board. “I’ll be pushing for this to be appropriated. Still, I’m concerned.”
Haley said she would confront any senator who doesn’t support the payments covered by the loan.
“I can’t imagine which senator would hold up paying for something that went to protect the people of this state,” she said.
The board approved hiring a consultant to help the state figure out what it needs from a future consultant, which would help the state centralize computer security responsibility.
Inspector General Patrick Maley says the state’s current model, which lets each agency develop its own standards, is a recipe for disaster. He’s recommended that the state hire an expert to help with the transition. But officials say state government lacks the expertise to even know what it needs on that front.
Haley said there’s no estimate on what the consultants will cost. She’s also not sure how they’d be paid.
Agencies could split the cost, she said. That’s what her Cabinet agencies are doing to cover the around-the clock monitoring of their computer systems, as she required last month by executive order, she noted.
Five Cabinet agencies are spending a combined $560,000 in one-time money, plus $65,000 yearly in licensing fees.
“I don’t think this is a one-year issue, so the experts will have to be paid. Whether all of the agencies share in that cost or how that comes out, I think the General Assembly will have to work on that,” she said. “My goal is to say, `OK, this is what needs to happen.’ The Legislature’s going to have to figure out how to pay for it.”