South Carolina recovers, learns from data breach
It was this past October that South Carolina suffered a massive data breach as the social security numbers and credit card information of more than 3.8 million taxpayers was stolen through an Internet phishing attack.
Since that time, the state has taken quick and aggressive action to minimize the risk of an attack of that magnitude again, said Jimmy Earley, director of South Carolina’s Division of State Information Technology.
In an interview with StateScoop, Earley said that South Carolina features an incredibly decentralized information technology structure where each of the state’s 72 agencies are responsible for their own IT and security.
“The breach was a lot about governance and authority,” Earley said. “What we lacked was a central security office that provided guidance and a framework to work within. Agencies were left to their own devices. I’m not saying they haven’t done a good job, but there wasn’t a central office to provide them with the help they really needed.”
To avoid future breaches, the state knew it needed to act swiftly. The Budget and Control Board, a state agency that houses Earley’s office, was directed to bring in security experts from the private sector to assist with the development and implementation of a statewide information security program.
The state issued a request for proposal and Deloitte won the contract, going to work in March to help South Carolina strengthen its security.
“The task for Deloitte is to help us set up a statewide security office and deliver the expertise we need,” Earley said. “They are helping to define the policies and procedures to put in place that can guide the agencies in their efforts to better manage security.”
The contract was essentially split into two tasks. The first was an assessment of the state’s most serious vulnerabilities and come up with some type of plan – and the budget requirements needed to implement it – by the beginning of the state’s new fiscal year in July.
As part of the contract, Deloitte was required to deliver a report by May 1 that included findings and recommendations based on three agencies’ risk assessments that were sent to the General Assembly. The state’s House of Representatives and Senate, along with Gov. Nikki Haley, worked to make money available in the budget to implement Deloitte’s recommendations. Those included creating a new Division of Information Security within the Budget and Control Board and an Enterprise Privacy Office. Twenty-one positions were allocated for the new security division, including a state chief information security officer, which is currently open for applications. An additional three positions were allocated for the Enterprise Privacy Office. For the state, this included a $10.6 million investment, $4.8 million of which is non-recurring.
Of course, that was just the beginning. As the second part of the contract, Deloitte and the state are now working on 15 agency assessments that will be completed over the next 12 to 14 months. The company will also continue to work with South Carolina to establish key enterprise security priorities and develop standards, including a proper governance structure and future budget requests.
“The focus over the next couple of months is to start hiring key personnel,” Earley said. “We want to get the new people involved and moving forward and that will spur a lot of the projects and initiatives around this plan.”
He continued, “What we’ve really tried to do here is take a step back and understand why this breach occurred. There was a reason for it. While it was something terrible that happened, there is a learning experience that can come from it and we can come out stronger because of it.”