Wednesday, October 31, 2012

South Carolina Breach and Error


This past week I have been reading about the data breach in South Carolina. Hackers gained access to the records of the Department of Revenue and 3.6 million South Carolina Taxpayers data. Data ranging from Social Security numbers to home addresses was available.

In the days following the notice of the breach the Governor Nikki Haley has spoken about the data not being encrypted. In her comments she stated that “The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt. A lot of those agencies you might think encrypt Social Security numbers actually don’t. It’s not just that this was a DOR situation, but an industry situation.”  

For the past ten years I have tried to bring to the attention of the public that data exposure is a real problem. In California where the first data breach notice law was created, the standard is that if the data is encrypted then notice is not needed. This was included to provide business with a security step that would make encrypting the data a more cost effective option.

There are numerous ways to encrypt the DOR data and still allow DOR personnel to use it. I wonder if the Governor considers paying for 3.6 million people to have credit report monitoring is more cost effective. We are rapidly approaching the point where those who have a breach, and had not taken the step of encrypting the data, will find themselves discussing the standards in front of a jury of their peers.  

No comments:

Post a Comment