Tim Smith, Greenville News
COLUMBIA - Kate Churches doesn't think the credit monitoring service the state now provides as a result of last year's hacking at the Revenue Department is enough.
"I'm sure our identities could be used for all kinds of things, like fake passports ...," she posted to GreenvilleOnline.com's Facebook page. "Credit monitoring only for a year is pretty useless. It's like putting a Band Aid on a hatchet wound."
But Rosmarie D'Ginto isn't so sure.
"I think the credit monitoring should be sufficient unless someone's credit becomes compromised," she posted, "at which time I feel the state IS RESPONSIBLE."
The opinions reflect a larger debate that has begun in the Legislature over what to do once the state's $12 million contract with the credit monitoring firm Experian expires.
Should the state examine identity theft protection services, which say they go beyond monitoring credit files? Should it stay with credit monitoring and offer additional tax breaks for those who want more?
Lawmakers, many of whom are still learning the complexities of identity theft, have not yet formed a consensus.
"It's an evolving thing," Senate Finance Committee Chairman Hugh Leatherman told GreenvilleOnline.com. He said it isn't a one-year proposition. "Maybe five years, we don't know. I do know this, we have to give our citizens protection."
In debating a bill aimed at protecting taxpayers and agencies from data breaches, two leading Democrats criticized a portion of the bill offering a continuation of credit monitoring for affected taxpayers.
"If we don't pass this amendment, all we've given them is some monitoring, which doesn't really do anything for them and hasn't reached everybody that needs to be reached," Sen. Nikki Setzler, the leader of Senate Democrats, told the Senate.
Sen. Vincent Sheheen, a Camden Democrat who recently announced to plans to run again for governor, agreed.
"If we don't pass this, then we're basically providing monitoring," he said. "If you get ripped off, we're going to call you up and tell you your credit was just ripped off. And that's not acceptable."
The Senate subsequently voted to pass the bill authorizing up to 10 years of credit monitoring for those victimized by last year's hacking. The bill also authorizes tax deductions of $300 per person or $1,000 per family for those who want to look at services beyond what the state offers. But the issue is far from settled.
Some lawmakers want the state to examine the idea of identity theft protection, which could include credit monitoring but also include services such as monitoring utility and wireless applications, address changes and searching Internet sites that are known to traffic in stolen information.
"There is a study going on now that will give us a better idea of how much protection would cost," said Sen. Kevin Bryant, an Anderson Republican who co-chairs a Senate panel investigating last year's breach. "I think it's very necessary for us to at least look at that."
The state first offered a credit monitoring service last October when Gov. Nikki Haley disclosed the Revenue Department breach and urged anyone who had filed taxes online to enroll in Experian's credit monitoring service, which she negotiated.
For $12 million, Experian has provided any affected taxpayer who enrolls in coverage under their ProtectMyID service a year of daily monitoring of files at all three credit bureaus, providing alerts to taxpayers when something changes in their credit files, one free credit report, and coverage of minor dependents once a parent enrolls in the company's Family Secure plan.
The coverage also includes lifetime fraud resolution service in which the company helps taxpayers with questions or to make phone calls if they become victims of identity theft. That includes fraud outside credit reports, such as bank fraud, Experian's spokesman has said. The plan also includes $1 million in identity theft protection.
The hacking exposed 3.8 million Social Security numbers, 3.3 million bank account numbers and information for nearly 700,000 businesses.
About 38 percent of affected taxpayers have signed up for the Experian service as of last month's deadline.
Some taxpayers have enrolled in Lifelock, a company that advertises itself as an identity theft protection service.
"I felt the need to purchase a subscription to Lifelock due to the security breach," Jay C. Russell posted to Facebook. "I received multiple alerts that my data had been breached and all the credit monitoring does is let me see something after it has already happened."
New companies emerge
Lifelock offers identity theft protection plans that include removing enrollees' names from mailing lists for credit offers, monitoring new credit and non-credit applications, address changes and watching "known criminal websites" for illegal sales of personal information and providing credit reports, according to its website.
The company also offers an additional service that looks for the opening of new checking or savings accounts, as well as payday loans. The company offers a $1 million service guarantee and identity theft protection insurance, according to its website.
Bryant said Lifelock is aware of South Carolina's situation. He said it's one of the companies that has made "themselves readily available at every turn for the last couple weeks."
Records at the State Ethics Commission show Lifelock has hired four lobbyists.
The company said the Lifelock executive who could respond to GreenvilleOnline.com's questions was unavailable.
Greg Young, a spokesman for Experian, said no solution can guarantee the prevention of fraudulent use of South Carolina taxpayer information.
"The industry standard is to provide an individual with actionable, near real-time awareness of possible fraudulent use of their personal information," he said. "Our offering is comprehensive and delivers industry leading alert functionality, helping individuals keep watch over possible fraudulent use of their identities."
Young said that while competitors' fraud resolution services must engage with credit bureaus to remedy issues, "our clients get direct access to Experian credit bureau personnel who can provide assistance to resolve issues."
There is no verified case yet of identity theft linked to the hacking, according to the Revenue Department, although dozens have said they believe they are victims.
Sheheen, who also believes victims exist now, proposed the creation of a victims fund, which the Senate approved. The Legislature's budget committees would have to decide how much money to place in the fund, if the House agrees one should be created.
Beyond credit monitoring
Sen. John Scott, a Richland County Democrat, said he feels the state should look at companies that go beyond credit monitoring. Those companies look at things like health records and the use of Social Security, he said.
He said taxpayers should be able to choose the level of protection they want, with the state aiding in some way, whether through a tax deduction or refund.
Scott said officials have had enough time to find companies with different services that can bid on the state's business "so we can make the right kind of decisions that South Carolinians deserve."
The House has provided $25 million to address the hacking but has not identified how exactly it should be spent and what should happen once the Experian contract expires. Those decisions are expected once the Legislature completes its budget and a consultant's report on state agency cyber security needs is completed.
"In the short term, I think it's critical that the state continues to monitor the credit of the people who were affected and continue to make it available to those folks, even the ones who did not sign up," said House Majority Leader Bruce Bannister of Greenville.
After two years, he said, lawmakers should examine how many have had to use the credit monitoring coverage and whether any of the stolen information has resulted in harm to taxpayers.
"I think we should go with the provider that provides the best value for the money," he said. "If Lifelock has a competing product that is more economical or a competing product for the same money that offers additional services, I think we should look at all options on the table and decide which one is best."
Carri Grube Lybarker, administrator for the state Department of Consumer Affairs, said credit monitoring services typically are reactive.
"You're getting an alert that something may have changed on one of your credit reports that you weren't a party to," she said, "that you have to determine if it was identity-theft related or it was you. The identity theft has already occurred, theoretically, and the monitoring just assists you with minimizing the effects of that."
Identity theft protection, she said, might be a security freeze on credit files so an thief who tries to use a person's information for credit is declined because the company can't get access to the credit file.
"It prevents that identity thief from being able to perpetrate the crime," she said.
Companies marketing themselves with protection services may offer Internet trolling, she said, and other services.
She said credit monitoring is not a silver bullet because it only provides notification if the thief is trying to access a person's credit file.
"If they are trying to get a job or trying to file taxes or get your Social Security benefits, or trying to hit your medical benefits, that credit report is not going to be pulled so there isn't going to be that trigger," she said.
She said while consumers can take additional steps, she doesn't know of a single product that offers a holistic solution.
And she said sometimes companies will sign consumers up for things they could do for free.
Opting out of pre-screened credit offers or direct mailers, signing up on the do-not-call list, and placing a fraud alert or security freeze on credit reports are steps people can take themselves at no charge, Lybarker said.