COLUMBIA — Gov. Nikki Haley’s administration will not publicly release a previously undisclosed, more-detailed report on how a hacker breached the S.C. Department of Revenue, affecting sensitive information for millions of taxpayers.
State lawmakers reached by The Post and Courier this week said they were never informed of the existence of the report by the administration.
Those legislators and an attorney for the S.C. Press Association said the report, or at least most of it, needs to be released to the public.
Press Association attorney Jay Bender, an expert on the state’s Freedom of Information Act, said the law does not allow the Revenue Department to not release the report at all.
He said the agency can redact sensitive information on security, but must release the rest of the report.
“The only thing that’s not a public record is (information related to) security plans and devices,” Bender said. “The rest of the information must be made public.”
The report is being produced by Mandiant, the cyber security firm the state is paying $700,000 to investigate the breach.
The report is “confidential,” and the shorter version of the report released to the public last month “included every piece of information Mandiant determined would not create new or further security risks,” said Samantha Cheek, a spokeswoman for the Revenue Department.
The Revenue Department argued that the report must not be made public, citing a section of state law that says, “Information relating to security plans and devices proposed, adopted, installed, or utilized by a public body, other than amounts expended for adoption, implementation, or installation of these plans and devices, is required to be closed to the public and is not considered to be made open to the public under the provisions of this act.”
Cheek said the report still is being finalized.
Marshall Heilman, a director with Mandiant, said the company never releases its incident-response reports, which are developed for clients and sometimes their law enforcement partners.
“Our reports are very detail oriented and contain information about the investigation as well as weaknesses in our clients’ environments. This information may be used by an attacker to better understand how to target the victim organization,” Heilman said in a statement.
After The Post and Courier began asking questions about the report, Haley spokesman Rob Godfrey said this week that the administration will make the full report available to lawmakers and constitutional officers on request.
Godfrey said that heeding the advice of Mandiant, the report will not be publicly released.
Sen. Tom Davis, R-Beaufort, said the Revenue Department needs to provide a much more detailed explanation for why it is withholding the report.
“There has to be an extremely high threshold to justify withholding information that is clearly in the public interest,” he said.
Rep. Leon Stavrinakis, D-Charleston, said the public needs to be able to see at least the parts of the report detailing what happened and what the damage and fallout is.
Sen. Kevin Bryant, an Anderson Republican co-chairing a new subcommittee examining the breach, said the panel’s attorneys will examine the report and make their own determinations about what information may be too sensitive to release.
“If it’s simply embarrassing information, then I still think the people of the state need to know,” Bryant said.
Sen. Vincent Sheheen, D-Camden, called it “shocking” that neither the public nor lawmakers were made aware of the existence of the more-detailed report.
“I think that my general approach is, when you have millions of taxpayer records that have been compromised, you should err on the side of full disclosure, err on the full side of information, err on the side of letting people know what occurred,” Sheheen said. “To not even tell people that it existed is unacceptable.”
Sheheen said if there are sensitive elements of the report, such as Social Security numbers that “nobody is asking for,” they can be redacted, but “certainly we should be able to get the bulk, vast majority of the report.”
The full Mandiant report isn’t the first time the Revenue Department has held back information the agency has said it cannot release for security reasons.
Last month the Revenue Department released a heavily redacted version of its contract with Trustwave, the cyber security company the agency was using at the time of the breach.