Columbia, SC (WLTX) --Two state senatorssay South Carolina could see cyber security legislation by next month.
It has been nearly three months since the data breach at the South Carolina Department of Revenue.
On October 26th, News 19 first reported thatan estimated3.6 million Social Security numberswere compromised and 387,000 credit and debit card numbers were exposed in a data breach at the Department of Revenue.
That same day, Governor Haley promised to respond with a large scale plan to deal with the state's cyber security. She issued an executive order that calls for greater coordination between state agencies. She wants the leaders of the departments to give documentation and reports to the state inspector general, and he will recommend new security protocols for the state.
The Inspector General's reportreleased in Decembercalls for a new statewide information security program, citing the current one as not acceptable. It states that the state has not fixed "responsibility, accountability, and authority for statewide data security."
The report, issue by Inspector General Pat Maley,interviewed 18 agency chief information officers, finding many rate their own agency below average in their information security capabilities.
On Monday, Senator Kevin Bryant (R-Anderson),co-chairof the Senate Sub-Committee tasked with investigating the breach,tells News 19that new statewide legislation go could into effect by mid-February.
"We are working on new ideas for legislation this week," said Senator Bryant. "We want to propose a statewide standard to monitor all state agencies."
Sen. Bryant says they hope to have their next subcommittee meeting Wednesday, continuing to interviewstate officials with knowledge of the data breach.
Sen. Darrell Jackson (D-Hopkins) is also on the Senate subcommittee investigating what happened at the DOR. He tells News 19 that he still has many questions that need to be answered. He agrees with Sen.Bryantsaying that legislation could come by mid-February.
"Many of my constituents are almost in a panic over the data breach, said Sen.Jackson over the phone. "This could be the biggest story to effect this state in my twenty years in office."
Just before Christmas, the state began notifying residents whose data was compromised in the data breach.
Since Friday January 11th, the Department of Revenue says there have been 2,224,107 million notification letters mailed out across the state. The mailing of those letters have cost the state $1.3 million dollars.
News19has raised questions regarding the notification letters,specifically, why some residents are receiving a breach letter when the never filed electronically?
Monday, spokesperson Samantha Cheek told News 19 the following: "Taxpayers who file joint returns will each receive a notification letter, if affected. Please keep in mind that letter are continuously being mailed on a staggered basis."
Cheek says the Department of Revenue will not speculate as to why individuals, who didn't file electronically received a notification letter.TheRevenueDepartmentsaysthey will assistthose people individually to find out why this happened.
When asked what percentage of Social Security numbers are now encrypted at the South Carolina Department of Revenue, Cheek says "we are continuing to work through encrypting all social security numbers to ensure a fair and equitable process."
As for who is responsible for the hacking, law enforcement isn't saying. Monday, News 19 asked the South Carolina Law Enforcement Division:
-Are we any closer to an arrest?
-Does SLED know who took the data?
-Is SLED still working with the Secret Service on this investigation?
-Can you confirm the nationality of the hacker at this time?
-If an arrest were to be made, what would the charges be?
SLED spokesmanThom Berrysaid, "I can tell you that the investigation is ongoing. It would be inappropriate to comment on specifics of the investigation at this time."
Last week The Greenville News reported that nearly three months after officials publicly disclosed a massive data breach at the state Revenue Department, the agency has yet to begin encrypting most of its data.