A massive South Carolina Department of Revenue data breach that exposed information on individual and corporate taxpayers will be a wake-up call to public entities across the country that store vast amounts of information but likely have inadequate security protections in place, information security and information law experts say.
“I don't see how it couldn't be,” said Jim Whetstone, senior vice president and U.S. technology and privacy manager at Hiscox Inc. in Chicago. “I've got to think government officials across the country are looking at this and asking questions.”
“The message from this is other states need to take heed and learn a lesson and be thankful it wasn't them because next time it might be,” said Richard J. Bortnick, member of the law firm Cozen O'Connor in West Conshohocken, Pa. “And it's not just states. It's all public entities.”
The South Carolina Department of Revenue announced late last month that approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers were exposed in a cyber attack. State officials later revealed that some companies' business identification numbers also had been stored in the database that was breached.
In a statement, the state said that on Oct. 16 investigators uncovered two attempts to probe the system in early September, and later learned that another attempt had been made in late August. Two other breaches occurred in mid-September, according to the state, with the hacker apparently then obtaining data for the first time.
The state said the vulnerability in the system was closed Oct. 20, and the system now is believed to be secure.
The South Carolina Department of Revenue contracted with information security company Mandiant Corp. to assist in the investigation of the breach, help secure the system, install new equipment and software, and tighten controls on access to the system.
In addition, the state began an outreach campaign to South Carolina taxpayers and offered affected individuals one year's free enrollment in Experian Information Solutions Inc.'s ProtectMyID program, which includes credit monitoring and identity theft insurance and lifetime ID theft resolution.
South Carolina Gov. Nikki Haley also announced the state had contracted with Dun & Bradstreet Credibility Corp. to provide South Carolina businesses that have filed a tax return since 1998 alerts to any changes taking place in their business credit files. Experian also is offering affected businesses monitoring services.
“The state is working hard both to provide appropriate services to citizens and taxpayers in the most cost-effective way possible in response to the incident, and to provide information about how we can best protect ourselves from the fraud and ID theft that will remain an ever-present threat in the information economy,” said Jon A. Neiditz, a partner at Nelson Mullins Riley & Scarborough L.L.P. in Atlanta, who is serving as counsel to the state on the data breach.
Mr. Neiditz called the state's outreach campaign “an unprecedented level of communication about data breach risks,” and called the governor's negotiation of fixed fees with the credit monitoring services “truly unprecedented.”
David Navetta, founding partner of Information Law Group L.L.P. in Denver, said he thinks hackers may see public entities as a “treasure trove,” as their databases possess large volumes of information such as Social Security numbers and are seen as having weaker data security than most corporations.
Implementing data security measures such as encryption has been “hit or miss” in the public and private sectors, Mr. Navetta said, and tight budgets in a difficult economy have likely hampered public entities further in taking necessary data protection steps. “I do question on some level whether public entities are keeping up with the times in terms of security,” he said.
“It's probably a similar story across all industries — there are some that are farther along than others” in terms of implementing information security measures, said Mr. Whetstone. “But, as a class, my view is (public entities are) probably not as well-funded or not as well-resourced.”
Public entities might be further challenged by operating on older, less secure legacy systems, Mr. Whetstone said, or by operating on a variety of disparate information technology systems, similar “to what you have in an educational environment, when a large university might have a different system running in different departments.”
Betty P. Coulter, director of risk management and insurance at the University of North Carolina-Charlotte and president-elect of the Public Risk Management Association, said she believes public entities are making efforts to secure their data.
“I think public entities are making strides in protecting their data,” Ms. Coulter said, noting that UNCC follows several guidelines and governance standards on data security. In addition to services available from private-sector firms, organizations like PRIMA or the University Risk Management and Insurance Association are seeking to train members on information security issues and provide forums for them to share information on the subject, she said.
South Carolina may well face lawsuits from individuals affected by the breach, though their chances for success may be limited, experts said.
“I could see that there would be lawsuits against the state, and it will be up to the affected people to prove damages, which will not be easy,” said Mr. Bortnick. “You've got to prove actual harm.”
“In most cases, unless there's some kind of identity theft that occurs, plaintiffs have not been very successful in litigating these cases in either the private or public sector,” said Mr. Navetta.
Sovereign immunity protections might also be a factor, he said. “That may also be another defense for entities that suffered a data breach,” Mr. Navetta said. “That hasn't been fully tested, at least in a data breach context.”