State right to get ready for flood of paper returns

Any reluctance to file tax returns electronically following South Carolina's massive security breach is understandable.

The people whose personal information was stolen from the Department of Revenue were electronic filers; those who filed paper returns could breathe a sigh of relief. Their Social Security numbers, birth dates and bank routing information had not been absconded with.

State officials are telling us it's safe to file electronically even as they prepare to spend an additional $300,000 to $400,000 to process paper returns.

They should expect a lot more paper returns, not only because of last fall's security breach, but because the department still has not finished encrypting its stored data. The job, we're told now, should be finished by late April -- after tax-filing season.

It's hard to be confident that it will get done by then. Information about the security breach has been slippery at best, starting with how the breach occurred and how many people were affected.

We were told in December that taxpayers whose information was stolen would be notified by the end of the month. But now we're told that mailings began going out by ZIP code in mid-December and should continue this week. For those who signed up for a year of state-paid credit monitoring by Experian and provided an email address, email notices began Tuesday and should finish this week.

South Carolina has been pushing electronic filing since the early 1990s when it participated in a pilot state and federal program. The Department of Revenue has touted the increase in the percentage of all taxes collected electronically, hitting 81 percent last year. South Carolina is among the top 10 in the electronic filing of personal income taxes, according to the Washington-based Federation of Tax Administrators

That encouragement to file electronically makes the security breach that much more bitter to swallow. The state should have been a leader in data security at the same time it was pushing to lead in electronic filing.

The hackers' entry into the department's system was a result of a violation of basic computer security protocol: An employee clicked on an email link that contained malicious software. That software infected 22 computers and stole passwords to access unencrypted tax data.

A dual password system has just been installed -- finally. But the contract for encryption wasn't signed until Jan. 22. Assuming things go as planned, encryption won't be in place until six months after the breach was announced.

That's no way to restore confidence in the system.

Still, Verenda Smith, deputy director of Federation of Tax Administrators, says that there's no relationship between the security breach and how people file. Data from paper returns are entered into a computer by hand or scanned.

That suggests it ends up getting stored electronically.

If she is right, it's all the more reason for the state to get its act together on this critical issue.

And it's worth noting some of the costs to deal with this preventable theft. The dual-access authentication on laptops for people getting into the system remotely cost $12,000. The encryption contract cost $3.8 million.

The hacking, to date, has cost South Carolina $20 million, with another $16 million requested for work related to the breach in the new budget, The (Columbia) State newspaper reports.

On Monday, the state Department of Consumer Affairs released a YouTube video on ways to minimize the effects of identity theft. While helpful, it's hard to give state officials credit for telling us how we can clean up their mess. We'd rather see state officials prevent such thefts in the first place, particularly since we have no choice but to turn over our sensitive information to them.