COLUMBIA, SC — A bill, approved Tuesday by a powerful state Senate committee, would offer credit-fraud protection for 10 years to S.C. taxpayers and others after hackers stole information belonging to 6.4 million consumers, children and businesses from the S.C. Department of Revenue last fall.
The bill now goes to the full Senate.
Resolving the hacking incident and preventing future cyber-attacks could cost the state “hundreds of millions” in the future, warned Senate Finance Committee chairman Hugh Leatherman, R-Florence.
Meanwhile, fraud-prevention companies eagerly are offering to help South Carolina recover from the nation’s worst-ever hacking of a state agency.
The head of a House special committee looking into the breach said he has received pitches from several companies. An executive of an identity-theft protection firm recently testified before a Senate committee. And the governor’s office is weighing a number of offers to provide a year of no-cost protection to consumers. Providing the first year of that protection will cost the state $12 million.
“Every vendor out there knows this is an opportunity because we’re going to do something significant with IT (information technology) security,” said House Majority Leader Bruce Bannister, R-Greenville. “They’re looking for a good sales year in South Carolina.”
The bill approved unanimously Tuesday by the Senate Finance Committee also creates:
• A department of information security that reports to the governor
• A tax credit of $300 for individual filers and $1,000 for joint filers to buy credit protection
• An identity-theft unit at the S.C. Department of Consumer Affairs
• A pair of committees to recommend statewide technology and cyber-security policies
State Sen. Harvey Peeler, R-Cherokee, said he was concerned about the new staffing and layers of government created by the bill, developed after 11 meetings of a special committee. “I have not seen this much creation since Genesis.”
While no immediate cost estimates were available, Leatherman said he expects the state could spend “hundreds of millions.”
“Whatever the cost is, we have to do whatever we can to protect our citizens,” Leatherman said. “They have been compromised. They have got to live with that the rest of their lives. We cannot close this door when this horse got out, but I sure hope we can keep the doors closed next time.”
A House special committee probing the breach has not introduced a proposed bill to address the breach. However, representatives have introduced bills to create a state computer security office and develop a fund to reimburse identity-theft victims.
Helping people spot credit fraud was the goal of signing Experian to a $12 million one-year, emergency state contract, reached just before Gov. Nikki Haley announced the breach in October.
Experian agreed to provide a year of credit monitoring for 5.7 million taxpayers and their children. More than 1.3 million consumers have registered for the credit monitoring, the Revenue Department said. The deadline to enroll for the first year of free-to-consumers monitoring is March 31.
Now, fraud-prevention companies are vying to provide aid to consumers during a second year. Experian has offered to provide a second year of coverage for $10 million.
The House has set aside $25 million in next year’s state budget, which takes effect July 1, to cover another year of credit protection, which lawmakers insist will be awarded through the state’s formal bidding process. Any remaining money would pay for other hacking-prevention work, such as proposals to start a state department of information security.
Haley’s office is talking to companies and lawmakers about providing “South Carolinians with the best protection at the least cost and least hassle to them,” spokesman Rob Godfrey said.
Clarissa Cerda, chief legal officer at identity-theft protection firm LifeLock, recently testified for more than hour before a Senate special committee on the breach at the suggestion of a lobbyist.
Cerda said credit monitoring with alerts of bogus loans and credit cards did not go far enough to protect consumers from ID theft. She said her company was more proactive, looking for other forms of fraud such as claims for medical and government benefits.
“As thieves have become more sophisticated, the crime has moved beyond the solutions employed by most states,” Cerda testified. “You’re in a position to really consider bringing a 21st-Century solution to address this 21st-Century problem, rather than taking the more reactive, traditional approach of just addressing the very limited symptom at hand.”
Cerda’s testimony led to amendments in the Senate bill that widened the definition of identity-theft protection to include services offered by LifeLock. Senators also approved tripling to $1,000 the maximum tax credit to buy credit protection for joint filers to accommodate higher-price programs such as LifeLock, which can cost up to $300 a year per person.
Cerda did not make a formal pitch for her company during her testimony, but senators asked her to send cost estimates during the hearing.
Some identity-theft experts say it is not appropriate for companies to be pitching for business now.
“It’s aggravating to me that this becomes a sales opportunity,” said Avivah Litan, an identity-theft analyst with the Gartner research firm. “They (lawmakers) shouldn’t listen to vendors at this time. It’s not in best interest of consumers.”
Sign up for credit monitoring
The deadline is March 31 to register for a year of credit monitoring at no cost to you from Experian.
Who is eligible? Taxpayers affected by the breach should have received notices earlier this year from the state.
To register online: Go to www.protectmyid.com/scdor and enter code SCDOR123
To register by phone: Call (866) 578-5422