Editorial: Blame for computer breach belongs in SC

This editorial appeared in The (Columbia) State on Thursday.

Good for Gov. Nikki Haley for finally acknowledging what long was clear to everyone else: Her state Revenue Department failed to do its job, and state employees indeed could have prevented the computer breach that compromised 5.7 million South Carolinians’ most sensitive financial information.

Backing away from her absurd assurances that the state was a completely helpless victim was an important step to begin to erase the credibility gap the governor had created for herself on this vital matter. It also allowed her to accept the resignation of Revenue Director Jim Etter.

We’re not certain whether Gov. Haley should be blamed for the breach. Although her personal experience with identity theft and the hacking that another Cabinet agency experienced should have raised her sensitivity to the danger, it’s not clear to us whether we should expect a governor to be that deep into the weeds of her agencies.

But some failures are so large that responsibility has to go beyond the individuals who did or didn’t do something that caused the problem, and this was one such failure. There’s no question that Mr. Etter had to accept blame for such a massive failure of our government to meet its minimum obligation to the public. Although it’s tempting — and some have succumbed to the temptation — to see this debacle as an indictment of putting the governor in control of state agencies, the fact that we will be getting “a new set of eyes” at the agency speaks to the wisdom of having the Revenue director answer to the governor rather than an unaccountable, anonymous board.

Unfortunately, even in acknowledging the state’s and, eventually, her own failures, the governor made a disturbing effort to downplay them. Her continued assertion that the state has learned it must go “above and beyond” implies that the state was doing the minimum necessary. It was not. And her call for the IRS to require states to encrypt state tax data suggests that the federal government somehow shares some of the blame. It does not.

Frankly, the governor’s letter complaining that the IRS “does not unequivocally require states to encrypt tax information” sounds more like what you’d hear from a federal-government-must-solve-our-problems Democrat than from a governor who told the Republican National Convention that her biggest challenge is all those nasty federal mandates.

We’re not certain we’re comfortable with the federal government telling states how to deal with their own data. But even if you agree with the governor’s newfound support for federal mandates, the IRS wouldn’t be the proper authority to issue such a mandate. That would either be the Congress or, perhaps, when it comes to Social Security numbers, the Social Security administration.

Yes, the Internal Revenue Service should be protecting the information it requires us to file with it, and to the extent that the federal government and other states were not protecting their data, we hope that South Carolina’s experience will awaken them to their own obligations.

But what the federal government does or doesn’t do isn’t the issue here. The issue is our state’s obligation to protect the information that it requires us to file with it. The only thing our state is now going “above and beyond” is the inadequate job that it was doing at the time it allowed our Social Security numbers, our bank records and all sorts of other sensitive personal information to be stolen.