COLUMBIA — A law firm representing the state in the aftermath of a massive cyber breach now says no competitors were contacted before the state reached a $12 million no-bid contract with Experian.
Attorney Jon Neiditz of Columbia firm Nelson Mullins said the confusion over whether the firm had contacted other credit monitoring companies resulted from an unclear statement made by another attorney.
The Revenue Department reached an initial agreement with Experian just before the breach affecting millions of current and former S.C. taxpayers was first announced publicly on Oct. 26.
The company is providing a year of credit monitoring for taxpayers and dependents as well as lifetime credit fraud resolution.
The confusion over whether Nelson Mullins ever reached out to Experian competitors began at an Oct. 30 Senate Finance Committee hearing.
Revenue Department Director James Etter, who is resigning effective at the end of this year, correctly told senators that no other companies were contacted besides Experian.
But Nelson Mullins attorney Thad Westbrook immediately followed up and told senators that pricing was obtained from two other firms but Experian had the ability to scale up quickly in an emergency situation.
Weeks after the hearing, Revenue Department spokeswoman Samantha Cheek named the other two companies that Nelson Mullins had obtained estimates from as Citreas and Identity Force.
She said those firms and Experian were examined because of their favorable pricing and services.
Obtaining pricing information from Experian competitors and examination did not include reaching out to them.
Neiditz said he had pre-existing pricing information from various cyber security companies and knew Experian could offer the best deal. The leaders of other firms have disputed that assessment.
Neiditz said Monday that Westbrook’s statement during the hearing caused confusion.
“It wasn’t clear,” Neiditz said. “It led to the impression that other companies had been contacted. I don’t think he was intending to mislead anyone. He may have only seen the information that I sent on those two vendors. I mentioned those vendors to him.”
Some senators have expressed concerns about the state’s no-bid contract with Experian.
Anderson GOP Sen. Kevin Bryant said it’s worrisome that no other companies were approached following the breach.
“This snowball just keeps getting bigger and bigger as time goes by,” he said. Bryant is co-chairman of a new oversight panel tasked with looking into the cyberattack.
Normally, state contracts are struck following a request for proposals from various companies.
But in reaching the deal with Experian, the state used emergency procedures. The emergency law can be used when there is “immediate threat to public health, welfare, critical economy and efficiency, or safety under emergency conditions.”
The law states “competition as is practicable shall be obtained.”
Neiditz recommended Experian to his firm, which then recommended Experian to the state. Nelson Mullins is being paid an estimated $100,000 for its work assisting the state.
Neiditz said he actually considered 20 vendors, not just Experian and two competitors as Westbrook and Cheek said, but never contacted any of them before deciding on Experian.
Neiditz said he provided pricing information on Citreas and Identity Force because they have different business models than Experian.
He said he first contacted Experian on Oct. 23, three days before the breach was announced.
Etter had told senators during the hearing that Experian was first contacted on Oct. 25. The Secret Service alerted state officials to the breach on Oct. 10.
Neiditz said Experian made the most sense for several reasons. Experian already had a contract worth about $750,000 with the S.C. Department of Health and Human services after a breach of Medicaid patient information announced in April. That deal also was reached using the emergency law.
Experian was best equipped to handle a large breach like the one at the Revenue Department and could move quickly, Neiditz said.
Still, Neiditz said he had intended to talk with Revenue Department officials about how the alternative model employed by Citreas and Identity Force could be useful.
“Given the timing of everything, we never really got to have those discussions,” he said. “As a result, I don’t think that those business models received full consideration. Neither did other companies.”
Neiditz said he was concerned that news of the breach would have leaked almost immediately if he had contacted a number of vendors before the state had been cleared by law enforcement to announce the cyberattack.
Reached by The Associated Press, the CEOs of Citreas and Identity Force said earlier this month that their pricing would have been competitive with Experian and their services would have been superior in some ways. Gov. Nikki Haley has said she negotiated with Experian and got a great deal for the state when Experian agreed to cap its compensation at $12 million.
Bryant questions that logic, saying vendors likely would have been beating down the state’s doors and possibly could have provided a better deal with the potential for millions of future customers in mind.
“I do realize something did have to be done,” Bryant said. “I guess we just have to ask more questions about the timeline.”
The breach oversight committee is scheduled to meet for the first time at 10 a.m. Wednesday.