COLUMBIA — A Democratic senator introduced legislation Tuesday to apologize to millions of South Carolina taxpayers for the cyber theft of their personal data — a move Gov. Nikki Haley’s office called a political stunt from a political adversary.
Sen. Vincent Sheheen said his proposed apology from the Legislature represents a symbolic yet important step toward restoring public trust in state government. Gaining trust starts with saying you were wrong, he said.
“Nobody’s been willing to step up,” said Sheheen, D-Camden, who lost to Haley in 2010 and is considered a potential contender for 2014.
Sheheen’s resolution would apologize for the government’s failure to take reasonable steps to secure Social Security and bank account numbers collected by the Department of Revenue. A computer hacker last September stole unencrypted data from the tax returns of 700,000 businesses and 3.8 million adults, as well as 1.9 million children listed on the filings. State officials didn’t even know taxpayers’ data was compromised until the U.S. Secret Service informed them weeks later.
The Department of Revenue is a Cabinet agency that reports to the governor.
Haley spokesman Rob Godfrey blasted the resolution as a stunt.
“It’s a political stunt, but one we have no problem with as long as the apology covers the decade-plus Vince was in the South Carolina Legislature and never once mentioned cyber-security,” he said.
Sheheen retorted by calling that a personal attack, noting he named no one either in his comments on the chamber floor or in the single-sentence proposed apology.
“I’m simply trying to do what Gov. Haley should have done months ago,” he said. “Gov. Haley should be joining me instead of attacking me.”
The back-and-forth hints at a potential rematch in 2014, though neither Haley nor Sheheen has announced a run. Haley says she’ll decide this summer whether she will run for a second term.
Haley initially announced the hacking Oct. 26 and said for weeks that the cyber-attack was so sophisticated that there was nothing the state could hae done to prevent it and that no one was to blame. She focused on telling taxpayers about the year of credit monitoring the state was providing, and the call center operators available for questions, under a contract she negotiated.
But on Nov. 20, in releasing details from a contracted firm’s report, she acknowledged state officials did not do enough to prevent the hacking. She also accepted the resignation of then-Revenue Director Jim Etter.
“Could South Carolina have done a better job? Absolutely, or we would not be standing here,” she said.
But the Republican governor, a states’ rights advocate who normally tells the federal government to butt out, went on to blame the debacle on outdated IRS security guidelines.
Asked Nov. 28 about that seeming contradiction, she said, “Let’s be very clear. I want states to be able to handle this themselves, but when we ask if we’re IRS-compliant, we need to know we’re getting updated information.”
“I ultimately am saying that South Carolina is the reason, is at fault for not doing this,” she continued. “I should’ve asked the extra question. I should’ve said, `Does this include encryption?”’
Sheheen’s resolution was sent Tuesday to the Senate Finance Committee. An appointed oversight panel of that committee has been holding hearings on the hacking.
Experts from Mandiant, the contracted forensic experts, have testified that the hacking could have been prevented if the agency had required more than one password to log into the system remotely and encrypted the data. Etter also testified that the agency went without a computer security chief for nearly a year before the hacking.
Former security chief Scott Shealy, who left in September 2011, told a House panel last week that his former boss — who resigned in September 2012 for reasons officials say are unrelated to the hacking — wouldn’t listen to his advice. Shealy said the hacking actually didn’t seem very clever or hard to detect.