COLUMBIA, S.C. - Gov. Nikki Haley on Tuesday called on state agencies to take a good look at how they’re handling information security - and, if necessary, to replace staffers in key areas.
“There is not one person in your agency that is exempt from knowing about security,” Haley told members of her Cabinet. “If you don’t have top of the line key IT and security people, get rid of them. ... Really start to look at that and see if you have the right people in the right places.”
Tuesday’s meeting was primarily an update from Department of Revenue director Bill Blume on what his agency has done to improve its security over the past 10 months.
About 6.4 million taxpayers and businesses had Social Security and bank account numbers stolen in the hacking of computers at South Carolina’s Department of Revenue last year, the nation’s largest of a state agency. So far, no money loss has been attributed to the hacking, Haley said Tuesday.
Si nce then, Blume said, his agency has created a “culture of security” that is rooted not just in IT or security personnel but in each of the department’s 800 employees.
“We’re using everything we have,” Blume said. “We don’t stop at our IT portion of our organization.”
Revenue, like many other agencies, relies on some outside companies to get its work done. But the director stressed that it’s the agencies - and their chiefs, like him - who are responsible for making sure those vendors’ work is secure.
“I own it,” Blume said, of the liability borne by his agency. “I can’t get rid of it.”
In the aftermath of what Haley referred to as the “DOR debacle,” agencies have been undergoing security assessments to ensure such a breach doesn’t occur again. Jimmy Earley, director of the state’s Division of State Information Technology, said Tuesday that his department will be talking with the different Cabinet agencies about how to secure their data by classifying it into different categories.
“We will provide each agency wit h a standard approach,” Earley said. “Each agency will better understand what data they have, where it resides, where it is housed.”
Haley also said each of her Cabinet agencies would be receiving a set of directives on how to keep its information safer, including instructions as simple as selecting email addresses individually and not allowing them to automatically populate from address books. That process might take more time, but no amount of convenience is worth risking security, the governor said.
“We can’t say that we’re a state that cares about security, and at the first sign of inconvenience, we stop that,” Haley said. “We are now not going to compromise security for convenience.”
Haley’s directives apply only to the departments within her Cabinet, but the Republican urged state lawmakers to look at what she’s doing and consider legislation that could apply the security measures more broadly.
“Other agencies need to be doing this,” Haley said.